Passwords are the single most important principal in any security scheme. You can have all the security in the world, but if your password policy is lax then all that work was wasted. It is a difficult balance to maintain a password policy that both satisfies the need for sufficiently complex passwords and the human ability to remember them. Following a few guidelines should keep your organization / home both safe and sane.

One of the most important things to keep in mind when implementing a policy is that your level of security should match the need for security. If you are trying to protect your corporation’s mission critical file server, then by all means that 24 digit alpha numeric mixed case password is awesome. However if you are just trying to protect your music files at home, don’t break your neck trying to implement a complex password scheme. I think it is helpful if we look at a couple of ways that people will try to break your passwords, then we can understand the level of protection we might require.

Dictionary Attacks:

A dictionary attack is one of the most common techniques used by would be password crackers. In a dictionary attack the perpetrator will use a script or program that enters passwords from a predefined list at a very fast rate ( think around 1,000 per second ) . This ‘dictionary’ list takes in account the human tendency to use passwords that are generally 6-8 characters long, single words, or variations of single words ( i.e. adding a 1 to the end ). This attack method is only meant to try those passwords which are most likely to succeed, and is easily overcome by even a very basic complexity in your passwords.

Brute Force Attacks:

By contrast a brute force attack is method by which an attacker will exhaustively try every possible combination of a set length and complexity ( i.e. 1111, 1112, 1113, etc.. ). The brute force method is feasible for very short or simple passwords, but increasing the complexity of a password by even a small amount lessens the chance of this type of attack being effective. For example if your password follows along the lines of seven characters in length, includes mixed case, includes numbers, and uses punctuation you are already in the area of 70,000,000,000,000 possible combinations! So even a script that could put out 1000 passwords a second would take over 1,000 years to work through all the combinations.

Implementing easy to remember passwords:

So what is the best way to produce a strong but easy to remember password? One of the best ways, that I learned in class, was the use of pass phrases. For example, a lyric from an old Led Zeppelin song, “havinganervousbreakdowndrivemeinsane“. Wow, a 36 digit password that is much easier to remember and highly secure. For an added degree of complexity you could, for example, replace all the I’s with 1’s and the E’s with 3’s “hav1ngan3rvousbr3akdowndr1v3m31nsan3“. Just think of a phrase that you find funny or interesting and you will have no problem remembering it!

If you need some extra help here a few links to some automatic password generators I have found around the web:

http://www.pctools.com/guides/password/ – The PC Tools password generator

http://www.snapfiles.com/get/ranpass.html – A downloadable random password generator

https://www.grc.com/passwords.htm – An ultra secure (64 bit alpha numeric) password generator ]]> http://www.raseley.com/2009/02/17/implementing-good-password-policy/feed/ 0