Jay Butler, Senior Technical Consultant
“Passwords, passwords, passwords” – I know. As a Systems Administrator, it’s almost impossible to keep up with all your passwords. You have two user accounts to keep up with just for accessing Windows, one account for normal activity and one for administrative access. You have the firewall password, the local Windows computer passwords, passwords for almost every software application, passwords for services on servers, proxy passwords, email passwords. And I know I am missing a bunch because I have not even mentioned all your personal passwords.
The typical network user isn’t much better off. They are expected to keep up with all their passwords while making them difficult to guess without writing them down. And by the way, everyone has to change their password at least every 60 days and it cannot be a previously used password. Remember, “Don’t write them down.”
These days, the difficulty factor has been multiplied by something we all know and love: Password Complexity. Password Complexity must be enabled on the institution’s Windows network per regulatory requirements. Regulations and best practices dictate the following Windows settings with regard to passwords:
- Maximum password age – 60 days: ALL users will be required to change their password every 60 days.
- Minimum password age – 7 days: Users will not be allowed to change their password again until after 7 days.
- Minimum password length – 8 characters: All user account passwords must be a MINIMUM of 8 characters up to 28 characters (max allowed).
- Enforce password history – 12 Passwords: The system will not allow a user to change his/her password to any of the previous 12 passwords.
- Password must meet complexity requirements – Enabled:
- The password does not contain 3 or more characters from the user’s account name
- The password must contain characters from at least 3 of the following 5 categories:
- English uppercase characters (A – Z)
- English lowercase characters (a – z)
- Base 10 digits (0 – 9)
- Non-alphanumeric (for example: !, $, #, or %)
- Unicode characters
Of these requirements, password complexity seems to cause the most confusion and obviously makes the password creation difficult. However, a good password will adhere to these requirements and ideally it will NOT contain any words.
Several techniques can be used to help users create and remember strong passwords. While the aforementioned requirements help, a stronger password should be encouraged. In particular, if the password will be only 8 characters, it should contain a completely random set of characters like G!59rb*M. A password like this will resist the typical”dictionary crack” methods because it DOES NOT CONTAIN ANY WORDS. Its characters are completely random.
Creating Strong Passwords in Practice*
A common technique is to use a “pass phrase.” This involves thinking of a phrase or sentence that means something to you and using it to create a complex password. For example, “My son is eight years older than my daughter” could be used to create Msi8yotmd. Adding a special character like ! to form Msi8yotmd! strengthens the password by including a character from all 4 possible sets.
Here is a similar method that requires a little more creativity. The user thinks of a word that means something to him and jumbles it up to create a completely random password. Spell it backwards, add numbers, replace some of the characters, and voila, you have a strong password. Liberty2 could become 2ytr3b1L. This example uses the number 1 for i, and 3 for e.
It is also acceptable to use a word like Liberty and put a number in after each letter: L3i8b6e2r5t7y0. The number could be a phone number or anything the user can easily associate with something familiar to him.
Using Pass Phrases as the Password
“Pass phrases” can also be used. That is, you can simply use a real phrase as your password. A very strong password that is easy to remember and type can be attained using this technique. The user simply thinks of a phrase up to 28 characters in length including the spaces. A good one might be “I love the outdoors!” Notice this password includes an”!” at the end. Therefore, it meets the complexity requirements to include three of the four possible character sets. Also, it includes the spaces, so the user can type normally when entering his password, as if typing a sentence in a word document.
Now you are probably thinking, “Hey, does’t that break the cardinal rule of NOT USING WORDS in a password?” Yes, but only if the password is too short like “Iamgood!” Therefore, the minimum password length should be increased in environments where users choose to use “pass phrases”. A minimum password length of 14 characters should be configured when encouraging the use of a pass phrase.
Update the domain (network) password settings to require a minimum of 14 character passwords and educate employees on using pass phrases. It’s much more realistic to expect users to create a long pass phrase than it is to rely on them to create a completely random eight-character one each time.
In addition, with local network access most eight-character passwords can be cracked quickly using widely available tools. While using a random (no words) eight-character password with all four character types prevents the elemental “dictionary cracks,” it does not prevent the more sophisticated methods. It merely slows them down somewhat. These methods are widely used by 3rd-party auditing firms during network audits/testing. [It’s important to note here that preventing the storage of the password using the LM Hash is critical in thwarting password cracking tools. Contact Safe Systems for assistance to confirm your network does not use the LM Hash.]
Employing 14-28 character passwords including the password complexity requirement makes them virtually “uncrackable” using today’s common tools. While this may sound difficult, it is actually easier in practice. Users only need to get accustomed to using a pass phrase. A pass phrase is much easier to remember and type than a random eight-character password.
The next time your network is audited, you will not receive a list of all your users and their passwords from a slyly smiling auditor.
At a minimum, use 14 characters on your Administrator accounts to keep them safe from abuse.
*Note: Please do NOT use any of the example passwords presented in this document.