Ten Steps to Better, Stronger Passwords
Hackers are everywhere, and they have a sophisticated array of tools for cracking your passwords. The primary purpose of this white paper is to help you understand that easy-to-remember passwords are no longer considered a secure form of authentication. You should consider any static password that you can remember as vulnerable. Even static passwords that are random are still vulnerable to some extent - It just takes much longer for a password cracking attack to be successful, and the likelihood of that success is inversely proportional to the length of the password. Here are some tips to help you create effective passwords, and how to keep your passwords safe.
It has been years since single-password authentication was even potentially a good security idea. You should consider any static password that you can remember as vulnerable. Let's take a look at what makes a good password and then examine ten easy steps you can use to make your password as secure as possible.
Security can be defined in many ways. One way is accountability, which is when security is holding people responsible for their actions. In order to hold someone accountable, three elements must be present.
Authentication is the proving or verification that a specific person is who they claim to be. In most cases within a computer network, authentication is used to link a specific person to a specific user account. When a person attempts to log on, they claim an identity, often by typing in a user name, then they must provide authentication factors to prove that they are (or at least are responsible for) the claimed identity.
Auditing of events is the recording of all activities of the system, resources, and users. This creates a log trail of everything that took place within the computer network and to some extent within the organization's facility during a specific period of time.
Authorization is the assignment of rights, permissions, and privileges to users that enables them to accomplish their assigned work tasks. Authorization is also the prevention or denial of access to any resource or activity that is not granted to a user. Thus, authorization is a collection of allows and denies that define the activity and access boundaries for a user. Every user will have their own unique, custom, and focused set of access boundaries.
Of these three essential security services, authentication is the most important. Failing to prove a solid and unassailable link between a digital identity (i.e., a user account) and a person prevents us from holding someone accountable for the recorded actions of a user account. Without strong authentication, it is not possible to hold someone accountable.
Unfortunately, authentication is where most systems, services, online sites, and organizations fail in their attempts to provide accountability security. The reason for this failure is passwords. Passwords are the most commonly used form of authentication. However, in practical terms and use, they end up being the least effective form of authentication. This is caused by several factors.
Most organizations and services rely only on passwords for authentication. When a single factor authentication mechanism is used, especially when that single factor is just a password, a single successful attack against a user account, person, or password is all a hacker requires to impersonate someone and log in as the victim account.
Most organizations leave password selection up to the end user. Most end users pick passwords that are easy for them to remember. The fact that a password is easy to remember makes it a password that is easier to guess, discover, or crack.
Common or "standard" password security policies, guidelines, and training do not help against modern password cracking techniques and tools. Forcing users to employ one or two uppercase letters, numbers, and symbols, or requiring a specific number of characters (even setting a small range of allowed lengths, such as 8 - 12 characters) actually makes the task of password compromise easier. For example, if a hacker knows your company's password policy, then they can automatically exclude any password that does not fit your requirements, such as anything missing an upper case characters or anything with too few letters.
People are lazy. Even with good recommendations for password creation, most users only perform the minimum requirements in order to skirt the rules. Most users do not truly understand the point and purpose of the rules. Instead, by using the minimums as if they were exclusive requirements, this gives the hacker even more of an edge. If your policy is to require 2 upper case letters, even though there is not a restriction on using more, most users will only employ 2 upper case letters. Hackers study human behavior and use this foible to improve the success of their password attacks.
Too many real-world passwords have been hacked. Hackers have an overwhelming amount of knowledge about general password rules, guidelines, and selections. This insight into how we, as general computer and Internet users, select passwords makes password cracking easier and faster.