From Ryan Groom,
Your Guide to Business Security.
FREE Newsletter. Sign Up Now!

Introduction

When defining a password policy there must be a balance of usability and balance. If your job role requires many complex “hard to remember passwords” I would recommend a product (which is free) like Password Safe in which you can store all your passwords and use one master password to unlock your personal password vault. Also an alternative to Password Safe is a Finger Printer scanner which you can map your complex Password Safe password right to your finger print. Thus opening the vault of your complex passwords with your finger.

Password Policy Items

Password polices should include but are not limited to the following items:

• at least 8 characters long
• not in the dictionary
• combination of letters, numbers, and at least one symbol like a ! or a #
• not the name of a person
• does not contain your username
• not the name of your computer or a server in your corporate network
• changes regularly (every 30 to 90 days)
• different from previous passwords
• not just the first letter be capitalized
numbers and symbols are just not at the beginning or the end of the password
• not written down anywhere

Why Strong Passwords?

The stronger the password the longer the amount of time it will take for someone using an automated password attack/guessing/auditing program to discover your password. All passwords can be guessed given enough time, so the trick is to have a password long enough and complex enough so that you will change it before it is discovered or compromised.

How do you calculate how strong your password policy is?

Determine how many characters are in your password set. There are 26 letters in the alphabet so that is 52 characters taking both upper and lower letters into account. There are 10 digits and say 12 symbols (that you can get quickly from the keyboard) to make a total of 74 characters you can use to construct your password.

1. Length. Determine how long your minimum password length will be.

2. Characters. Determine the character set that your password will contain.

3. Password Permutations. Calculate your password permutations by the Characters to the power of Length.

For example :

If your password policy calls for 8 characters and using upper/lower character and includes digits and symbols then your calculation would look like:

74 ^ 8 = 899194740203776 or 899 trillion different password combinations.

Why Simple Passwords are So Weak

Based on the above formula lets say your password is only 4 lower case characters. Then you would compute 26 ^ 4 or 456,976 password combinations. A password cracking program can guess your password in less than a second. By using 8 characters and using both upper and lower case letters with numbers and adding a symbol or two you see how quickly passwords get strong and why security people harp so much on secure passwords.

Conclusion

Password are not the be all end all of computer security but like it or not they are the most common form of protecting your “stuff” from user accounts, private data, online banking and network access so this is why your passwords need to be so strong. If you are a strong password guru now and want the next step in securing your password check out certificates and two factor authentication.