Guidelines for Secure Password Selection
These days, much of our life is protected by simple little passwords, but how many people have truly thought about what they could lose if their account was compromised?
I have.
Passwords protect our bank accounts, insurance and health information, service accounts, online memberships, and email. If the password to any of these accounts were to be compromised, what is the worst that could happen? Could you lose all of the money in your bank account? Could someone masquerade as you for health-related services? Could someone change/cancel your cable, DSL, cell phone plan? Could they deface your facebook or myspace account? What if they read through your email and found that you had thousands accounts all over the web and all they needed to do was request password resets for each to assume your online identity?
Interestingly enough, there are sources all over the Internet for describing how to make a more secure password. However, I would recommend for anyone to use the NSA's guide that I found here when writing this article.
Below is an excerpt from pages 7 and 8.
Passwords
Passwords are a primary method used to control access to resources. Because authenticated access is seldom logged, a compromised password is a way to explore a system without causing suspicion. An attacker with a compromised password can access any resource available to that user.
Poor passwords or blank passwords are still a common occurrence on many networks. Many users still use dictionary words, hybrids, names, and default passwords. Additionally passwords less than 8 characters and passwords that are the same as the username are also frequently used. These types of passwords can be cracked within minutes or even seconds using any number of publicly available password crackers.
General guidelines for password security include:
- Passwords should be 12 or more characters in length on Windows systems.
- In older releases of some UNIX operating systems, a maximum of 8 characters was the maximum number of characters allowed. However, on more modern day UNIX systems passwords length is based upon the available algorithm (MD5, Blowfish, etc) residing on the systems. This gives the added benefit of maximizing the password length to 255 characters on some systems.
- Users should never share their passwords nor keep written passwords in an easily-accessible place (e.g. under a keyboard, on the computer monitor).
- Passwords should be difficult to guess and include uppercase, lowercase, special (e.g., punctuation and extended character set), and numeric characters. They should not include dictionary words or names.
- Users should not transmit passwords in cleartext (e.g. via Telnet or FTP)
- System administrators should crack passwords monthly to identify problems with weak passwords and to determine if the password policy is being followed. Password-guessing programs (e.g. "John the Ripper", "L0phtCrack", and "Crack") identify those users having easily guessed passwords. Because password cracking programs are very CPU intensive and can slow down the system on which it is running, it is a good idea to transfer the encrypted passwords (the dumped SAM database for Windows and the /etc/passwd and /etc/shadow files in UNIX) to a stand-alone (not networked) system. Also, by doing the work on a non-networked machine, any results found will not be accessible by anyone unless they have physical access to that system. NOTE: Always obtain explicit and preferably written permission from the organization before running any password scanner/cracker.
- Passwords should be changed regularly (every 30 to 90 days). Set up password aging via Account Policy for Windows systems or the /etc/default/passwd file in SOLARIS. Some Linux releases use the 'charge' command to set up and modify the password aging requirements for users.