Strong Words on Passwords

Strong Words on Passwords

I read recently read that 40% of hacked company data is hacked from external sources. This 40% would be people on the Internet and outside your company who have no business looking at your data. They browse your data. They use your data to their advantage. They sell your data. Guess how the remaining 60% of company data is hacked. Yes...from internal sources. This would include people in your company who get their hands on information that they shouldn't be able to see. The easiest path is to learn, guess or crack a password. I am expanding on my previous A few works on passwords article here.

I typically advocate a strong password policy derived from Microsoft's and Watchguard's best practices. I will present the policy, ask for your response and then justify the policy. Here we go:

Presentation

Passwords cannot be changed for two days after creating a new password.

Passwords expire every 42 days.

Passwords contain characters from the following categories:

English uppercase characters (A - Z)

English lowercase characters (a - z)

Base 10 digits/numbers (0 - 9)

Non-alphanumeric symbols (e.g. !, $, #, or %), and

Passwords do not contain three or more characters from the user's account name.

Password history will be retained for the two most recent passwords.

Passwords are at least 15 characters long.

While these password policies may seem rigid, they are highly recommended for keeping hackers with some personal information and/or word lists from breaking user passwords. Due to a flaw in Windows' Active Directory, a 14- character password is saved as two 7-character passwords. That is the reason for Watchguard's 15-character recommendation.

Response

If this is derived from Microsoft's and Watchguard's recommendations, then we should do it.

If Mark says this will help the business stay in business, then we should do it.

I want to check with the staff first.

Let's throw Mark out the window.

Can I still write my password on a Post-it note and stick it to my monitor?

Justification

The simpler a password, the easier to crack. Wikipedia.org defines password cracking as “the process of discovering the text of an encrypted computer password.” See also http://en.wikipedia.org/wiki/Password_cracking. I bought a $60 brute force password cracker and ran it on my server. Sure enough…it cracked the easy passwords quickly. Let's assume that on your network, users could use upper and lowercase letters for their passwords. Let's also assume the passwords they chose were not in the dictionary. My program presents these results:

Passwords 4 characters short, or less	Can be cracked in under 4 seconds.
Passwords 7 characters short, or less	Can be cracked in under 3 days, 9 ¾ hours.
Passwords 15 characters long, minimum	Would be safe. This program would try guessing 3.6 million passwords per second. The estimated time is… “unreachable.”

The more complex a password, the harder to crack. When I reset client passwords, I usually reset them to one derived from the easily-to-remember phrase: better safe than sorry. The password I prefer is Better$afethan$0rry. It meets the password policy (above) and cannot be cracked in a reasonable amount of time. Most people trying to crack this password would give up and look elsewhere. I refer this to your wisdom.