Passwords
Why do we use passwords?
Passwords are a form of identitiy when you
access a private area of a network, such as a shared drive or a
website, such as your bank account. The password is basically used
as a way to prove to an authentication system that you are who you
say you are. A username and password are usually used together as an
absolute minimum to login to any site or shared space.
The basics for passwords. Do not make them
too easy to crack, never write them down and store them, say, on
your monitor. Never tell anyone your password. Follow this page
for some basic ideas of how to protect your vital information.
Create Passwords
Passwords should be at least 8 characters in length
and contain at least 3 of the following 4 types of characters:
- lower case letters (i.e. a-z)
- upper case letters (i.e. A-Z)
- numbers (i.e. 0-9)
- special characters (e.g. !@#$%^&*()_+|~-=\‘{}[]:";’<>?,./)
Passwords for systems or applications that cannot
support the above standard should be longer -- at least 10
characters in length, if possible -- and incorporate the maximum
complexity the system or application can support.
Ideally, the system should be changed or updated.
Pass Phrases
Use pass phrases for creating good, cryptic, hard-to-guess passwords
- Longer passwords are better.
- Avoid including personal information, names of family,
places, pets, birthdays, address, hobbies, license plate number,
etc.
- Avoid words that are slang, dialect, jargon, etc.
- A password consisting of several words separated by spaces
can actually be more secure and easier to remember than a more
complicated, obscure one.
- Basing your password on a phrase that is familiar to you
is one way to generate a password that is memorable to you,
but obscure to others. For example, "The hills are alive
with the sound of music!!" is actually a pretty good
password, except for the fact that that it is inconveniently
long and published here. A shorter version could be, “Hills!
alive! Music!” or, using a variant on the first letter of
each word, "ThRawts0m!".
- A few memorable, unrelated words can also be a good
password, such as "correct horse battery staple" or, if the system
requires additional complexity, “Correct horse battery
staple!”
- Automatic "password cracker" programs now also check for
complete dictionary words in a row, separated by spaces or
not, so it's still always best to modify dictionary words.
"The hills are alyve w/the sound of musyc!" is much more
secure than "The hills are alive with the sound of music!"
It's also harder to remember, so it's a trade-off.
- Be aware that automatic "password cracker" programs check
for common symbol substitutions in words, such as "0" for "o"
and "$" for "s". Simply substituting common symbols for letters
in a dictionary word, e.g. "Pa$$w0rd" instead of "Password,"
might result in a guessable password even though it technically
meets the above requirements. Passwords that are found
vulnerable by automatic password strength checkers may be
rejected.
- Passwords shouldn't be too common (Password1 is very
common. 2bor!2b is pretty common and is also only 7 characters in length).
- Try out this password checker
Microsoft's password strength checker
is a handy tool to help gauge the strength of a password.
Administrator Accounts
Disable all built in administrator accounts
and set your own policy based accounts
Password should be changed regularly
keep your passwords secret
Do not share your passwords with anyone, or in any way publish them.
Avoid writing passwords down.
Whenever possible, change passwords to something you can
easily remember.
One way to do this is to create a password from a
familiar phrase (see Pass Phrases for more information).
Once you have a good, strong, memorable password, you
can come up with a system to modify it slightly for each
system or application. Then you only have to remember your
base password and your system.
If you have to write a password down, try to write it in a
way that others won't be able to decypher -- such as using a
hint for part of it -- and store it securely in a safe
place, e.g., not under the keyboard
or on your monitor.
If you think your password may have been compromised,
notify your IT Support and your supervisor immediately.
Single Sign On (SSO)
Single sign-on is a session / user authentication process
that permits a user to enter one name and password in order to
access multiple applications. The process
authenticates the user for all the applications they have been given
rights to and eliminates further prompts when they switch
applications during a particular session.
Use SSO for only back-end services
Use strong
Change often
SSO Pro's and Con's
Advantages:
- Users select stronger passwords, since the need for multiple
passwords and change synchronization is avoided.
- Inactivity timeout and attempt thresholds are applied
uniformly closer to user points of entry.
- It improves the effectiveness/timeliness of disabling all
network/computer accounts for terminated users.
- It improves an administrator's ability to manage users and
user configurations to all associated systems.
- It reduces administrative overhead in resetting forgotten
passwords over multiple platforms and applications.
- It provides users with the convenience of having to remember
only a single set of credentials.
- This also improves security as users find it easier to
remember their credentials and do not have to write them down,
allowing for a more efficient user logon process.
- It reduces the time taken by users to log into multiple
applications and platforms.
Disadvantages
- Single point of failure
- Single high-value target (attracts more attackers)
- Necessary information disclosure between trusting site and
SSO authority
- Side channel attack against authentication step
(theoretically; implementation dependent)
- Lack of control over your user list
- Yet another interface to maintain (added complexity)
- You may never know how secure your system is or if there is a
breach
- Added cost