|
The Weakest Link: "We've met the enemy, and it is us." (Pogo) |
Build a Better
Password
Three guidelines to
impenetrability
by Raymond E. Miller, CISSP, MCSE
Passwords
hold the keys that access many things in our lives. We have a love-hate
relationship with them for obvious reasons.
In most
cases, we need two things to get access to a system, a valid user name and
password associated with that user name. Since it's easy to find out a person's
user name, the password plays a big role in authenticating the user to prove to
a system that he or she is the person behind the user name.
Common password formats
As we all
know, a password can easily be weak or strong, depending on what the user
creates. Too easy, and it's breakable. Too hard, and it's forgettable. A
password generally comes in one of three forms: something you know, have or
are.
A
"something you know" password could be a personal identification
number (PIN) or the name of Aunt Sadie’s dog. It should be something that only
you know and keep secret, even from your loved ones and trusted coworkers.
A "something
you have" password could be a key, token or a smart card. Smart cards are
commonly used for building access but are becoming more common in computer
systems access security. Tokens and key FOBs simply have a number that changes
every set amount of seconds (usually around 10 seconds, but a little longer is
better since it can take more than that to access the system). When you access
a system with a token, you still enter a user name and a password, followed by
the currently shown number in the token.
A "something
you are" password is commonly referred to as biometrics. Biometrics is
based on a physical attribute such as a fingerprint or retinal pattern that's
scanned and compared to the attribute on record to confirm a person’s identity.
Like no two snowflakes are alike, the same concept applies to our retinas and
fingerprints.
Turning weak passwords into strong
ones
Of these
three types of passwords, the most widely used is something you know.
Unfortunately, it's also one of the least secure. Most users tend to pick
simple passwords, something that is easy for them to remember like a relative's
name or birthday. Most of you probably know it's a challenge to get users to
create better and stronger passwords.
The first
step on the road to convincing users to build a better password is educating
them. You improve the chances of them creating super passwords by explaining
the importance and the process of building a more secure password. User-generated
passwords can be strong and effective, provided they follow a few simple
guidelines.
-
Use a password that is longer
than eight characters.
-
Pick a password that doesn't
appear in a dictionary.
-
Generate passwords by using
the full character sets available.
Typically,
the full set of allowable characters available to you includes alphabetical
(a-z and A-Z), numerical (0-9) and special sets. Special sets, also known as characters,
generally refer to !,@,#,$,^,&, [, ], {, } and so on.
Some
systems don't allow certain special characters, but there's almost always
something you can use that's outside of the alphabet. The special characters
and their use differ from system to system. The longer the password, the more
characters used, and the less chance it appears in a dictionary makes it more
difficult for an attacker to decipher.
Meet Goliath, Aunt Sadie's attack
dog
Let's use
Aunt Sadie’s dog as an example of how to turn a weak password into a
"Goliath-style" password, one that even David can't beat. Guess what?
The dog's name is Goliath.
Goliath,
when compared to the provided guidelines, fails all three guidelines for
creating a strong password. It's shorter than eight characters, appears in the
dictionary and uses only alphabetical characters. Here's how to modify it to make
it stronger.
Guideline 1: Increase the length of the
password by adding more information. Take the basic “Goliath” and transform it
to “Goliath is a dog.” Now the first guideline is satisfied.
Guideline 2: Further modify the new password to
“Goliathisadog.” By eliminating the spaces, the second guideline is a happy
camper because this password doesn't appear in a standard dictionary.
Guideline 3: Last change: Introduce other
characters into the password to make guessing it more difficult. Do this by
replacing alphabetical characters with other acceptable characters. Hence “Goliathisadog”
magically transforms to “G0li@this@d0g”. In this last step, we have substituted
the letter “o” for the number zero and “@” for “a.”
T!@NS4ES: This is a new section
for easy scanning
Apply
mnemonics to create a password by thinking of a memorable sentence, using the
first letters of each word, and applying guidelines one and three. Here is an
example of this process.
In a real
case, a person shared administrative rights with multiple people on a system. The
person learned that an administrative person gave the administrators’ account password
to a user to temporarily access the system with the more powerful account. To
teach a lesson to the administrators, the person created a password,
“TiN4u2gA!” Translation: “This is not for you to give away!” This password had
the desired effect and complied with all three guidelines.
Approaching
the world of passwords with these three basic guidelines can multiply the
difficulty level associated with an attacker trying to guess your password. One
last piece of advice: Educate your users to change passwords often. The longer
you use the same password, the more time an attacker has to figure it out. Since
we have three guidelines, three months makes a good and easy-to-remember
timeframe for changing passwords.
It
shouldn't take long to teach users how to build an impenetrable password, and
the payoff is a safe and secure business environment. Plus, they get to keep
their jobs for as long as no one can crack their passwords. Just remember the
big three.
Raymond E. Miller, CISSP, is an independent
security consultant and trainer. He can be reached at Raymond.Miller@hotmail.com.
