18770 2003 2008 276304 30689 access administrator Antivirus banker Basic box collaboration connection cost database delete destroy directory document email Exchange FedEx fee folder Funny hack hidden IIS7 install installation KB KB276304 kerberos limitation longhorn microsoft partners prepare quota restore scan Scanning security server spyware starter storage stuff support upgrade

Password security - an in-depth look at evolvement of password security requirements over time

If you manage a network you probably always keep in back of your mind the issues surrounding external hackers and the constant attacks that your network is experiencing. If you are a home user you probably never think of these issues. You don't think it can happen to you. Reality is, that most attacks nowadays are automated and random. You do not have to have a known valuable information stored on your computer to become a victim of an attack.

What can I do?

Securing your network would be a good first step. You can find more on this in one of the other articles. What I do want to talk about today is password security. Couple of decades ago, users were accustomed to using their first name as password or maybe some 4 digit number. Both are considered extremely weak passwords as they are prone to dictionary attack (in case of name) or quick burst of brute force (4 digits yield only 10,000 combinations.) Your passwords must be a lot more complex to withstand both of the common attack methods.

What is a good password

This topic has undergone a few iteration over past 10 years or so. Few years ago, if you'd ask any network administrator whether K28w&88zz9 is a good strong password, they'd absolutely agree with that. Nowadays, we see this as a strong password but not as a good password for users. Thanks to well documented breaches we now know that requiring password that is impossible to remember will result in users writing them on pieces of paper that ends up either stuck to their monitor or under their keyboard. Password in plain sight is not a good password.

Scroll down for additional info labeled Issues facing administrators and what are the good passwords to enforce?

More info: Issues facing administrators and what are the good passwords to enforce?

permanent link to article http://freecash.hogger.net/password_security_an_in_depth_look_at_evolvement_of_password_security_requirements_over_time

Administrators now understand that simple dictionary based password is easy to guess but when you join several words, the attacker will not succeed with dictionary and will have to proceed with brute force. With longer password, the time required to break it grows exponentially. If we assume that attacker expects us to use only lowercase letters, increasing length of password by just 5 characters multiplies number of possibilities by 10 million. So going from 5 to 10 characters, the number of combinations will grow from 10,000,000 to 100,000,000,000,000. Long password is a good password.

What to suggest

Passwords should be easy to remember. Best way to remember a long password is to create sentece password such as "ilikepotatochips". It is easy to remember that password is "I like potato chips" and the length is 16 characters. Number of combinations necessary to test all passwords of 16 characters in length is just too long to even write here.

Am I set with one password?

Simply put: No. Even with long password, if you do not notice the attacker and they're given enough time, they might accidentally figure out the password. Best way to prevent that is to switch passwords on attackers. They won't be able to figure out whether password changed or not and that makes most attacks neutralized. You could suggest your users to use logical progression for their passwords, graduate from "i like potato chips" to "i do not like broccoli", then "i love watermelon", "i am not sure about apples" and so on. You should make sure that passwords are changed at least once every two months and your users should use at least 6 different passwords before they are allowed to go back to the first one.