Secure Password Guide August 15, 2016Posted by twiznc in Security.
At a minimum, Tech Wizards strongly urge you to utilize passphrases of at least 16 characters and change passwords at least every 3-6 months. The below information can make creating relatively easy-to-remember passphrases and changing them regularly fairly easy. At a minimum, create a passphrase of at least 16 letters such as lyrics from a song (allyouneedislove), a line from a nursery rhyme (hey diddle diddle), a line from a poem (andmilestogobeforeisleep), etc. Capitalizing one or more letters and adding special characters (even spaces) will improve the strength of any passphrase. There are also several free online tools that can generate long, secure passwords for you (see links below). Although it is preferable to come up with an entirely new password every time you change your password, adding the month and year as a four-digit addition at the end of your phrase (Allyouneedislove!0316) takes some of the pain out of changing your password (just update the month and year code at the end of your passphrase); if you do this every calendar quarter then the number becomes very easy to remember.
For maximum security (and in order to conform to federal compliance guidelines) passwords must meet the following complexity and usage rules…
- Passwords must be changed at least every 60-120 days
- A new password cannot be a password you have used previously
- Passwords cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
- The password must be a minimum of 14 characters (more is better) and contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
Regarding network passwords, for security reasons, a user’s account should be locked out after 3 consecutive failed logon attempts, and should remain locked out for at least 1 hour unless manually unlocked by an administrator.
The above password policies can (and should) be configured as password requirements on any company’s Exchange Server. Tech Wizards can apply this password policies to your server if requested.
Below are web links that offer methods and online tools for creating passwords that meet the above criteria…
- Probably The Best Password Generator Online: XKPasswd (Recommendation: Choose the “XKCD” preset at the top of the page, and change the “Transformations” option to “Capitalise First Letter”)
- ”Manly Man” Instant Password Generator – A quick and easy secure password generator (you may need/want to capitalize at least one letter in the generated password)
- Shift Your Fingers One Key to the Right for Easy-to-Remember but Awesome Passwords (remember to include at least one number, one special character, and one capitalized letter)
Many people, for simplicity, use the same password for every device, web site or software application they use. This is a VERY BAD idea, since if someone hacks, steals, guesses, or otherwise obtains your password then they will have access to everything you access (computers, digital devices, bank accounts, Facebook, Twitter, and perhaps even your ATM if you use the same code there). For best security, and to avoid identity theft (which you want to do at all costs), many find it easier to use a dedicated password management system, rather than trying to remember a bunch of different passwords.
There are some great password management tools out there. They include…
- KeePass (free, open source download)
- LastPass (free download, with a premium version subscription available)
- Roboform (limited free version (10 logins); full version is $9.95 for the first year, then $19.95 per year)
- 1Password ($35.88) per year for Windows PC or Mac).
Roboform and LastPass are my personal favorites since it works on (and syncs with) all devices (PCs, MACs, phones, tables, or even a USB drive for portable use) and also automatically fills online forms (even the free version) in addition to managing your passwords.
All of these tools give you the ability to record all your passwords in a single, strongly encrypted location (some will also fill online forms for you). Of course you still need a password in order to unlock the encrypted file, but you only need to remember a single passphrase.
Here are a few password myths that may help you or your company adopt a more rigorous password policy…
- Myth #1: Dj#wP3M$c is a Great Password – A common myth is that totally random passwords spit out by many common password generators are the best passwords. This is not true. While they may in fact be strong passwords, they are usually difficult to remember, slow to type, and sometimes vulnerable to attacks against the password generating algorithm. It is easy to create passwords that are just as strong but much easier to remember by using a few simple techniques. For example, consider the password “Makeit20@password.com”. This password utilizes upper and lower-case letters, two numbers, and two symbols. The password is 20 characters long and can be memorized with very little effort; perhaps even by the time you finish this article. As mentioned above, the best technique for creating complex passwords that are easier to remember is to use data structures that we are accustomed to remembering. Such structures also make it easy to include punctuation characters in the password, as in the e-mail address example used above. Other data structures that are easy to remember are phone numbers, addresses, names, file paths, etc. Consider also that certain elements make things more memorable for us. For example, patterns, repetition, rhymes, humor, and even offensive words all make passwords that we will never forget.
- Myth #2: J0hn99 is a Good Password – While it does pass minimum Windows complexity requirements, “J0hn99” is not as strong a password as it appears. Most password crackers have rules that can try millions of word variants per second. Replacing the letter “o” with the number “0” and adding a couple numbers is no big deal to a password cracker. Some password crackers have rule sets that can create password combinations well beyond the average user’s creativity or patience. A better approach is to be less predictable. Rather than replacing “o” with “0”, try replacing “o” with two characters such as “()” as in “j()hn”. And of course, making your password longer will make it even stronger.
- Myth #3: Passwords Cannot Include Spaces – Although most users do not realize it, all versions of Windows since Windows 2000 allow spaces in passwords, as do most websites and other password-protected services and devices. In fact, as far as Windows passwords go, if you can view a character in Windows, you can use that character in a password. Therefore, spaces are perfectly valid password characters. However, due to how some applications trim spaces, it is often best not to begin or end your password with a space. Spaces can actually make it easier for users to come up with more complex passwords. A space is used between words therefore using spaces may encourage users to use more than one word in their passwords.
- Myth #4: Eventually Any Password Can Be Cracked – Although a password may eventually be discovered through some means (such as through a keylogger or through social engineering), it is possible to create a password (or passphrase) that cannot be cracked in any reasonable time. If a password is long enough, it will take so long or require so much processing power to crack it that it is essentially the same as being unbreakable (at least for most hackers). So yes, eventually any password can be cracked, but eventually may not fall in your lifetime. So unless you have the Government hacking away at your passwords, chances are you are pretty safe. Of course, advances in computing power may someday make this myth a reality.
- Myth #5: You Should Never Write Down Your Password – Although this is often good advice, sometimes it is necessary to write down passwords. Users feel more comfortable creating complex passwords if they are able to write them down somewhere in case they forget. However, it is important to educate users on how to properly write down passwords. A sticky note on the monitor (or a piece of paper under the keyboard) is not a good policy, but storing passwords in a safe or even a locked cabinet may be sufficient. And don’t neglect security when it comes time to throw those passwords away, many passwords have been compromised after hitting the garbage dumpsters. You should discourage writing down passwords in most situations, but if writing them down helps or is necessary, be smart about it.