What constitutes a 'Good' password.
If there is one topic that seems likely to provoke strong opinion it is that of passwords.
Universally loathed by users who get annoyed at having to regularly change them, and system administrators who have to enforce their use.
Even IT Pro's who profess to have no security 'bent' whatsoever, will normally express a stong opinion over various password policies.
The problem with passwords, is that creating a really good one is actually very hard to do. There are various techniques to creating better passwords and some myths around what constitutes a good password or not. I will attempt to discuss several here. As this subject promotes such strong opinion, I will deal with this interesting subjects in several 'bite size' chunks.
First of all, some generalisations:
Avoid:
Short passwords (under 7 characters)
Any words that appear in a dictionary
Relying on substition (a=@, e=3, i=1 etc)
Incremental passwords (password1,password2, password3 etc)
Passwords that can be easily guessed (name of children, favorite football team etc)
Writing down a password and leaving it unsecured
Try to Use:
Passphrases
Passwords longer than 10 characters
Substitution with passphrases
Passwords that combine letters, numbers, uppercase, lowercase, special ALT characters,punctuation.
Combinations of all the above, use your imagination!
In my opinion, it is ok to write down a password in the following conditions:
1) If this enables you to use a highly complex password that you would not be able to remember otherwise (such as †ˆª’®$¼>Lm\`¬pA*-~@;žŸ¿s)
2) If this is appropriate secured (eg, locked in a secure safe with dual control, or encrypted on a USB drive with the decryption key stored seperately and also appropriately physically secured.
It is also important not to use the same password everywhere. If you have to use the same password (or PIN number for that matter), then ensure that you only use the same password for systems with the same level of importance or security.
For example;
You may chose to use the same passwords for all web sites where you don't supply any credit card details. If one of these gets hacked, it's no big deal if your password is used on other such menial sites.
You would choose an entirely different password for sites where you submit credit card information, where it is a well known company that you trust their security policies and procedures.
You would chose a different PIN number for your Bank cards than for your mobile phone.
The rationale behind this, is a compromise between having a totally seperate password for all systems, web sites, computer logon, Bank PIN, mobile phone PIN, and having the same credentials for all.
The important thing to remember is never to allow a secure system password like a Credit Card PIN, be able to be compromised having it identical to a weaker system, say a mobile phone PIN which is written down with your mobile phone.
This principle is at a very high level, the one that all sysadmins should practice for managing multiple I.D's within systems.
Of course, even better than passwords are 2-factor authentication, such as RSA SecurID one time session authentication or smart card/PKI, but this is a subject for another blog!
Universally loathed by users who get annoyed at having to regularly change them, and system administrators who have to enforce their use.
Even IT Pro's who profess to have no security 'bent' whatsoever, will normally express a stong opinion over various password policies.
The problem with passwords, is that creating a really good one is actually very hard to do. There are various techniques to creating better passwords and some myths around what constitutes a good password or not. I will attempt to discuss several here. As this subject promotes such strong opinion, I will deal with this interesting subjects in several 'bite size' chunks.
First of all, some generalisations:
Avoid:
Short passwords (under 7 characters)
Any words that appear in a dictionary
Relying on substition (a=@, e=3, i=1 etc)
Incremental passwords (password1,password2, password3 etc)
Passwords that can be easily guessed (name of children, favorite football team etc)
Writing down a password and leaving it unsecured
Try to Use:
Passphrases
Passwords longer than 10 characters
Substitution with passphrases
Passwords that combine letters, numbers, uppercase, lowercase, special ALT characters,punctuation.
Combinations of all the above, use your imagination!
In my opinion, it is ok to write down a password in the following conditions:
1) If this enables you to use a highly complex password that you would not be able to remember otherwise (such as †ˆª’®$¼>Lm\`¬pA*-~@;žŸ¿s)
2) If this is appropriate secured (eg, locked in a secure safe with dual control, or encrypted on a USB drive with the decryption key stored seperately and also appropriately physically secured.
It is also important not to use the same password everywhere. If you have to use the same password (or PIN number for that matter), then ensure that you only use the same password for systems with the same level of importance or security.
For example;
You may chose to use the same passwords for all web sites where you don't supply any credit card details. If one of these gets hacked, it's no big deal if your password is used on other such menial sites.
You would choose an entirely different password for sites where you submit credit card information, where it is a well known company that you trust their security policies and procedures.
You would chose a different PIN number for your Bank cards than for your mobile phone.
The rationale behind this, is a compromise between having a totally seperate password for all systems, web sites, computer logon, Bank PIN, mobile phone PIN, and having the same credentials for all.
The important thing to remember is never to allow a secure system password like a Credit Card PIN, be able to be compromised having it identical to a weaker system, say a mobile phone PIN which is written down with your mobile phone.
This principle is at a very high level, the one that all sysadmins should practice for managing multiple I.D's within systems.
Of course, even better than passwords are 2-factor authentication, such as RSA SecurID one time session authentication or smart card/PKI, but this is a subject for another blog!
posted by Paul Vincent at 8:57 AM
-730534.jpg)
1 Comments:
Ironic isn't it - the "best" password guidelines are the very ones that make the password system so unpopular to the average end-users. Many of the things that that I advise to help make the system at least bearable are on your *avoid* list :(
>But then sysadmins, who know better, are often even worse. I have recently heard of an organisation where all their root pssswords are the same value, haven't been changed for donkey's years and have become fairly well known. This was to make things "easier" for the sysadmins!
My suggestion that some basic good practices needed to be implemented met with quite some resistance even though they completely understood that what they were doing was bad.
Realistically if we want good user authentication we need one-time passwords/PINS, which is fine for application accounts, but not sure how it would be applied to root on unix.
Post a Comment
Links to this post:
Create a Link
<< Home