A password is a first line of defense to your systems and your personal information. The system can be anything from a computer to a home alarm system to a corporate network consisting of hundreds or thousands of computers; the information can be anything from a social security number to a private letter to classified documents. Combined with a username, a password gives you a set of credentials to access these systems. Usernames are usually some form of 'account' that is created for you to use in conjunction with your passwords.
Below is a list of information requiring protection; some of the items are personal and some involve highly sensitive business or government information:
- Financial data
- Credit card numbers
- Health information
- Private documentation
- Cookies (containing sensitive information)
- Company secrets
- Intellectual property
- Military data
Passwords have a broad range of applications, but for simplicity's sake, this article deals with computer-based systems. Here are a few examples of systems that should be secured with a password.
- An application: e-mail, Word, Excel, etc.
- Server login
- Router (other device) login
- Web sites
- E-commerce sites
- A PDA (Personal Digital Assistant)
So what's the big deal? Well, think about it this way. You have a workstation at home and a workstation at work. You have bank accounts, e-mail accounts, and so on. It adds up. Now imagine you work in the IT field. It's conceivable to have 50 or more passwords to memorize. What if you had to change these passwords each month? Not only would you have a dozen (or possibly a few dozen) passwords to remember, but you would need to change them and remember the new passwords immediately.
One of the great obstacles to effective password creation is laziness. We all want to have something easy to remember so we tend not to be very careful or creative in devising passwords. Then you have to take into account a company's policy on password security. Most companies have a policy in place that forces all users to create a new and unique password each month. What winds up happening is that end users simply add a numerical digit to the end of their last password. If the password is "dog", then the new password becomes "dog1", eventually growing to "dog11". This sort of password creation technique is insecure and it doesn't help matters when an end user writes their password on a sticky note and places it under their keyboard or right on their monitor.
Many users believe that their desk drawers are sufficiently secure for hiding passwords. Another common place for storing passwords is on a PDA, which would be fine if PDAs were never lost or stolen. There are in fact security solutions for PDAs, such as PDA Secure, a program that adds protection to your PDA via encryption (see Resources for a link). But the best advice is to avoid storing passwords on your PDA or obvious places such as desk drawers altogether.
As a security analyst, I am regularly asked for my advice on creating an effective password scheme while maintaining the integrity for multiple platforms. In the next few sections, I hope to provide some useful ideas.
The most important thing to remember is that any password you create is vulnerable to attack, which is called password stealing or cracking. This is the exploitation of your credentials via unauthorized access. The article Introduction to password cracking (see Resources) provides details on password cracking techniques.
The first step in good password design is to look at what not to do when creating passwords. First off, avoid dictionary words. Any word that comes from the dictionary is susceptible to an attack and eventually will be cracked unless you change it often. The major problem with creating passwords from dictionary words is that any password-cracking tool can eventually guess it using a dictionary attack. Also, you never want to write a dictionary word backwards or add a simple numerical value after the dictionary word. These same password-cracking tools try these combinations as well. Here are some examples of bad passwords:
These are all very susceptible to exploitation. Here are a few other things to avoid when creating a password:
- Never use personal information as the basis of a password. If you are a Star Trek fan, for example, don't set all your passwords to "Spock", "Vulcan", or even "Spock1". These are easily guessed by anyone who knows you.
- Sports fans just can't help themselves. I have known several administrators who have used their favorite team or player as the basis for a password.
- Don't use passwords based on what you keep on your desk. I hacked into a client's server using his daughter's name after seeing a picture of her on his desk.
- Don't keep password files on your local machine or a network share. This is only secured via file level access, while the machine itself can be compromised. And if someone resets permissions on a folder and does it incorrectly, the folders underneath are also reset, compromising all passwords on the network.
How to create good passwords
Here are some general rules for creating effective passwords:
- The only safe place to keep a password is in your head or a locked safe, which only you know the combination to.
- Effective passwords need to be fairly long, but not so long that you can't remember them. Three-character passwords are too short.
- Use special characters, uppercase letters, and numerals in a logical manner.
Here are some examples:
- Uppercase letters: Using uppercase letters in conjunction with lowercase letters will offer some protection if you have the functionality of "case sensitivity." You could then use the password "HeyYou", which is different from "heyyou". Adding uppercase letters adds a layer of complexity making passwords harder to crack.
- Special characters: Using special characters such as "#", or "%" also adds to complexity. Take the word "money", add the pound sign after it (money#) and you have a fairly effective password.
- Numerals: Using numerals also adds complexity to the mix. If your social security number is 123-45-6789, you can use the last four digits with an easily remembered word such as "money", making your password "money6789".
- Mnemonic phrases: If you're a phrase collector from movies or songs, you can take a great line and make it into a password. Let's say you're a Star Wars fan. You can take the phrase: "May the Force Be With You" and use the first character from each word to create the password "MTFBWY".
- Substitution: You can use a number or sign in substitution for a word. If you know that the "$" sign equals the word "money," then you can tie it into a password scheme such as "Ilove$". This is simple-to-remember password that is difficult to crack.
Next, we'll tackle the problem of creating effective password schemes for multiple systems.
Creating a password scheme that works
In this section we look at password schemes for personal, home-based machines, work-related systems and networks, and a password scheme specifically for Cisco routers and switches not employing the CiscoSecure-based Tacacs+. CiscoSecure is a product that uses the Tacacs+ protocol to allow routers and switches to have login authentication performed by an external source like a UNIX server instead of the typical login passwords kept on the devices themselves.
Personal home-based PCs
An effective password scheme on home-based personal PCs uses a combination of the above theories. You'll want to make it fairly easy to remember because once you forget it, you'll have a problem getting into your machine without the skill set to break back in. You also need to consider the following:
- If you are running the Windows 9X platform, you don't need to worry about a password because passwords mean nothing to the security of the local machine. Your password is based on a profile, and if you press Cancel, you will bypass the machine's login. Also, a password-protected screensaver can be eliminated by rebooting the machine.
- If you are running the Windows NT, 2000, or XP platform, you want to make sure that you do not forget your passwords. You need to make sure you have the Administrator account locked down with a good password and that it is well hidden so that your machine won't be compromised. However, if you forget it, you want a way to get back in. This is accomplished by making a new account and password protecting it so you have a back door.
Home-based security is quite different from corporate security, so the guidelines are based on a person's level of comfort and paranoia. Here is an example of a password scheme for home use that is easy to remember: Use a mix of a pet names, upper and lowercase letters, with the last four digits of your social security number and a special character. The password you create might look like: Butch#8976
This example can also be used for Web sites, bank accounts, and other personal use systems. This type of password is virtually impossible to crack and is easy to remember.
Network administrator systems
What if you're in the unenviable position of a network administrator? Well, that's a little more difficult because you will be responsible for the passwords of many systems.
Password protection follows the same rules as before just on a wider scale. You will most likely have numerous systems to secure with passwords and what's more, you may even have levels of passwords depending on what type of access you want to grant users. In other words, you can have a Cisco router with multiple levels of login access, with each level giving more privileges.
You can use the same theories as listed in the first section of this article (uppercase, special characters, etc.) but with a new twist. Instead of picking a great name to remember, or a single word, you need to come up with a theme. Note: DO NOT use my example. It has been done before.
One of my favorite movies of all time is "Reservoir Dogs." In this movie, all the bad guys are given names based on colors: Mr. Black, Mr. White, and Mr. Pink. This theme can be tied into a password scheme for your network servers. Here is what it might look like:
|Server name||Server type||Password|
Notice that each server has a password that includes the color and a special character (the same among them all) along with part of the server name. Also, notice the upper and lower case letter usage. The likelihood of these passwords being cracked is extremely slim. This is an example of a solid password scheme; it works and it is something you can remember with little effort. Again, you can (and should) customize this to your needs.
Cisco administrator password schemes
The table below shows an effective password scheme for Cisco routers. Cisco routers require two levels of passwords: an initial password and an enable secret password.
Because Cisco routers accept case-sensitive passwords, you have a nice upper and lower case pattern here, special characters, and an easy-to-remember phrase.
For Cisco, you need an initial password to log into the router and a second level for more secure access, which you can configure as the enable secret password. This chart gives you an idea on how to configure this option. By making the password scheme relate to something you enjoy, such as a movie, you are more likely to remember it (not all security-related work needs to be a drag!); but more importantly -- make sure it's secure.
Passwords are a necessary, though inconvenient, part of our lives. All systems need them to have a simple-to-implement first level of access security. The question for IT professionals and users of all levels is how do we work with them and not go out of our minds? In this article we demonstrated how to effectively create individual passwords and password schemes. Passwords and password schemes need to be difficult to crack and easy to remember. Because passwords are a pain to remember and keep track of, people tend to put little effort into creating them, thus compromising their own security and the security of others. It's important to keep in mind, however, that no matter how effective the password or password scheme, there is always a level of risk associated with passwords.
- An excellent overview of password security under UNIX can be found at: http://www.ja.net/CERT/Belgers/UNIX-password-security.html.
- PDA Secure application information can be found at http://www.trustdigital.com/prod1.htm.