Tips on Password Security
Continuing my previous discussion of what makes a password strong is the additional need to routinely change your password. The reason to change your password is that the longer your password remains the same, the more likely it will be discovered by a malicious user.
While odds are that a malicious user isn’t trying to discover your password all day every day, odds are good that at some point someone will try to use your account to gain access to unauthorized systems, information, etc. By changing your password, you do several things.
First, if your existing password has been compromised without your knowledge, you instantly revoke access to anyone maliciously using your credentials.
Second, if someone is actively trying to compromise your account, they need time to discover your password. Remember our discussion on the length of your password (the longer the better)?
Statistically speaking, someone attempting to find your password by trying every possible combination of passwords must try half of the possible passwords before he finds the correct one. This is known as a brute force attack. The longer your password, the more possibilities an attacker must try before he finds the correct one.
If your password is sufficiently lengthy and sufficiently complex, it could take as long as a few months or even years to break your password. What happens when you change your password is you force any would-be attacker to restart the process of trying every possible combination. So, how often should you change the password? This has no exact answer.
NSK Inc. recommends you change your password at least once every 180 days. However, if you work with particularly sensitive data or have an account with elevated privileges, you should change your password more frequently.
Ask yourself how much damage an attacker could cause you, your company and your clients if he figured out your password. The more damage that can be done, the more often you should change your password.
Written by:
Ben Howard - MCSE, Security+, CCNA Security, NSA 4011
Senior IT Associate - NSK Inc
Tips on Password Security
You always hear about choosing a strong password. Every time you sign up online for any account, you are advised to choose a strong password and maybe even given colors showing you the strength of the password you have selected. What exactly is a strong password, though?
First, your password should be no shorter than eight characters. Why? This is because most places don't actually store your password - they make a hash (which is sort of like a fingerprint) and then encrypt the hash, or vice versa. The relative strength of the encrypted and hashed file is based on both the strength of the encryption/hashing algorithm in use and the length of your password.
Generally speaking, your password is 2n bits strong when n=number of characters in your password. A password of eight characters is similar to having a 256-bit password. By adding just one more character (now at nine characters), your password becomes similar to 512-bit. Each character you add doubles the password strength, but it takes more than an eight-character-long password to be considered strong.
You should also make sure not to use any combination of characters that can be found in the dictionary. For example, a password like "password," while eight characters long, will be easily cracked in a matter of minutes using what is known as a dictionary attack. This type of attack simply tries words found in a dictionary to login as you.
Next, refrain from using information about you in your password such as your birthday, anniversary, phone number, street address, or other information that is probably posted all over your Facebook page. Why? These types of passwords use readily available information and are easy to guess. Use a mix of characters in your password including numbers, capital letters, lowercase letters, and special characters such as "%."
You can even take that same dictionary word and change a few of the letters to numbers or special characters to make your password infinitely more complex but still easy to remember. Take the previous example, "password." Here's the same base word, but with some modifications: "P@ssW0rd." Note the capital letters, the special character in place of an "a," and the number zero in place of the "o." A hacking program will have a much more difficult time with this password than our previous, plain English word.
Finally, make sure you keep your password simple enough to remember. It is not secure if you have to write it down and hide it under your keyboard. And remember, there is never a circumstance in which you should provide your password to anyone. No legitimate administrator needs your password to accomplish any task.
Written by:
Ben Howard - MCSE, Security+, CCNA Security, NSA 4011
Senior IT Associate - NSK Inc.