Contents

1. Choosing a password
2. Stronger passwords (pseudo-random techniques)
3. Managing your password
4. Password policies for small organisations

For most computer users, the password is the lynchpin underpinning the security of your system. Despite being such, it is regularly the weakest point, often subjected to attack; there are numerous programmes available whose sole purpose is discover you password, thus accessing your computer and potentially taking control of it and its contents. Many computers have sophisticated techniques for managing passwords, but it is no use if the password you have chosen is not up for the job.

1. Choosing A Password

One survey estimated that 70% of passwords were female names. Another suggested that 90% of passwords were to be found in the dictionary. From a hacker's point of view, this makes life very easy. Indeed, it is relatively easy to find lists of female names and dictionary words, ideal for hacking a computer account.

The main rule in chosing a password is to chose one appropriate to the security needs what is being protected. A password for a fun site on the internet is not that important -as long as that password is not also used for more significant information. Websites and computer accounts which also access to highly important data, whether personal data, credit card numbers or sensitive data, and even email accounts need to have sufficiently strong passwords which will defeat the majority of attacks, in particular 'dictionary attacks' (where 'crackers' use common words or patterns to speed up the the time to discover your password).

The trick is to find a balance between something too complicated and hard to remember and something easily guessed. It should obey as many of the following guidelines as possible

1. The longer the password, the better. The bare minimum should be eight characters, and preferable much longer.
   
2. Avoid personal information related to you and your family, such as children & animal names, dates of birth, car registration number, favourite bands, etc. Writing them backwards is not good enough either. A password which is a name or word can be cracked in a few minutes.
   
3. Use a phrase or sequence of letters which have a significance to you but is not generally known. Do not have it framed on your desk.
   
4. It should contain a mixture of capital and small letters and numbers. Where possible non-alphanumeric symbols such as dollar and pound signs, spaces and the various other symbols to be found on the keyboard, should be used, though not all systems will permit them (in particular internet websites).
   
5. Some letters can be exchanged for numbers, eg writing '5' for 's', '$' for 'S'. Note that subsitutions such as these are well known, so using a password based on a name, etc, with letters replaced in this fashion is just as bad as having used the name in the first place. Passwork cracking programmes will quite easily handle these variations, so it is best to chose less obvious replacements.
   
6. Random is good! The more random in nature your password is, the better as it makes it harder (though not impossible) to crack.
   

Some people make the mistake of boasting about the quality of their password technique, for example, which non-english language dictionary they used to chose their passwords from. If overheard, this means they have just compromised themselves, making life easier for any hackers.

Passwords are not the last line of defense in security terms, and should never be considered as such. Flaws in the programmes allow work around techniques meaning the password can be bypassed. Likewise, given enough time, any password can be broken by brute force. The main use of passwords is to make it difficult for the casual hacker to break them in a situation where they are limited in what they can do.

The above guidelines are ideal for producing passwords secure to an intermediate level (ie, not easily guessed or broken) that are relatively easy to remember. However they all have their weaknesses which means that they can be cracked with in a reasonable length of time by a determined hacker. If you need to go to a level where hackers are going to have much greater difficulty in accessing your account then you need to look at pseudo-random or random passwords. Again these can be broken, but the main point is that it now requires brute force approaches, which take much longer to break, often making it impractical or not worth the effort given what is being protected (providing, of course, you are using sensible security policies to protect your sensitive informations - remember: sensitive information should not rely on the use of passwords alone).

Random passwords are hard to remember, especially if you have a few of them. They also have the additional problem that being much harder to remember, your staff are far more likely to write them down, so they can actually pose a greater security risk than having a less random password.

Pseudo-random passwords are ones which are constructed by a set of rules you know, but which appear as random to any hackers.

There are several methods for generating pseudo-random passwords:

A common technique is based on selecting text from a book, which means something to you. Chose a page, and then a method for selecting from that pages, such as the first letter of each sentence. Thus, all you are required to remember is the page number of the book and how you created the password. This is a considerably simpler and not easily deduced by someone trying to access your accounts. To increase this even further apply some of the techniques suggested in guidelines 4 and 5 above, to confound anyone who has worked out that you are using this technique to generate your password.

Example:
First letter of page 45 in the book War And Peace: AstatgAeinEPBV
Convert e to 3: AstatgA3in3PBV
Convert A to @: @statg@3in3PBV

As you can see it appears as an essentially random set of letters, numbers and symbols, but relatively easy to remember as you do not have to remember the password itself, but the series of rules required to create it. By a rules we mean an instruction to alter the text in someway, as suggested in guidelines 4 & 5, and as demonstrated in the previous example, which only had five distinct but simple bits of information to remember.

If using this technique, be discrete. Don't leave the book lying in an obvious place with a marker in the page! It is not good to be opening the book when others are around, or have it lying next to your desk all the time. Books which have been opened regularly at the same page will have a damage spine, an when dropped on it's back on the floor will generally fall open at this page. Of course, if you chose a more complicated pattern than the first letter of each line, eg do a diagonal across the page starting three lines down, then you can still confound.

Another useful technique is to pick a long phrase or saying that you can remember easily and using as your password the first letter of each word - you can improve on this by say chosing the second letter, or using a pattern to select the letters; have more fun by putting in a number or numerical pattern between each letter, and using substitutions like 3 for E.

Example:
Phrase: If not you, who? If not now, when?
By selecting the first letters it becomes: InywInnw
Variations: InYwInNw, i1n2y3w4i5n6n7w8

As you can see, the more rules you apply, the more secure your password becomes. This allows your to grade your security needs; applications which are not that important but you want to protect from casual hackers need relatively few rules to back up the password strength. More important accounts, such as root access to your computer, your own personal account, email accounts, files containing very sensitive information, should have a passwords back up by a large number of rules.

Do not write down your rules anywhere: the purpose of having only a few rules to remember rather than the full complicated password, is that you can keep them in your head far more easily.

For those who require really strong security, then randomly generated passwords, or pass-phrases of the type offered by PGP are required, with elements of all the above guidelines being implemented. There are progammes available which will grade the strength of your passwords. Some applications will also suggest that your chosen passwords are insufficiently strong - pay attention to this, as these err on the weak side.

Try to change your password at regular intervals, usually between one and three months; and immediately if you think that your computer has been compromised or someone may have watched you type it in. Never, ever give it out, especially if you are online. Remember computers can be stolen and they can also be hacked. So never leave a password in a simple text file on your hard drive. The best thing is to put your passwords into a strongly encrypted file which is stored on a floppy disk or CD (also makes life simpler when taking work home). Thus even if your computer is stolen or confiscated, you will still have your passwords and they will not; plus you will not have to spend ages reconfiguring all your accounts and rebuilding your access to any networks.

The text file should be protected with strong encryption; this means that you have to remember only one password, but make sure that it is as strong as possible - there is no point securing everything then leaving the bundle of keys where they can be easily found. This is a classic example of the maxim that security is only as good as the effort put into ot it. The downside is that if you forget the master key you loose all the passwords, so be careful.

Do not write your password down and stick it under a desk or chair!
This is one of the first places people will look as it is so commonly used.

A common quote is that passwords are generally to be based on objects found within five feet of the computer. People spying on you can use this to attempt to guess your password, but applying the guidelines above will make their any attempts considerably more difficult.

Do not use the same password for everything!
If you do this, then when a insecure application is cracked then it opens your entire system to the cracker. It is easy to get sloppy on this, but this is where it is very useful to have some sort of security policy in place where you use increasingly complicated passwords as the sensitivity of the data/account being protected increases. For very low level stuff, where the password is little better than a registration tool, as for some websites then there is little harm in using the same password across the board (though never for websites where you have given your credit card details). As it gets more important then you really need to reconsider your approach, and take increasingly stronger line in passwords.

Change default passwords.
This is knowledge easily acquired, and numerous security breaches have been enabled by people overlooking this simple issue.

Do not give your password to your secretary.
Surprisingly common, as managers and staff need to access their files when out of the office or other staff need access to accounts while someone is off sick. Unfortunately, something picked up on by social engineers who are adept at bluffing secretaries to giving up this information. Likewise, you are also putting your trust in the security measures of your secretary, you might also be just writting it down on a piece of paper in a desk drawer. If you must share passwords, be extra careful about the conditions of storage and disclosure. Never let temporary staff near this.

3.1 Passport, Electronic Wallets and KeyChains

It is becoming increasing common to see key chains and authentication services being promoted across the internet and networks (eg Microsoft's Passport). We would hesitate putting trust in most of them for various reasons. Saying that, the Kerberos 5 authentication system does appear to be standing up to scrutiny when implemented across networks. Our main concern is that it involves putting trust in the ability of others to protect yourself, and in the software world this is a most unhealthy thing to do. As we have noted elsewhere, there is no point having the most secure, software in the world, if it is not being used correctly and the person doing the securing is 100% trustworthy.

We recommend you do not give any trust to Microsoft's Passport system. This is a very flawed system, and if you provide it with your credit card and other personal details you are taking far to great a risk. If a link in the chain is broken then the whole system is compromised, exposing you. This is true of other electronic wallets and authentication systems; as yet we have not seen any we would feel comfortable endorsing.

Some operating systems and networks offer something similar in key chains, which offers to store all your passwords & usernames for you. Like any such system, this is open to attack, and involves putting too many eggs in one basket. While it may be fine for low level password storage, we really do not recommend this as a technique for storing passwords holding the key to sensitive and private information. Instead we urge you to take the advice given above, of storing them in a single text file which is very securely protected. You should also never store passwords using Windows password storage feature. When a dialogue box appears offering to remember the password for your, please click NO. The security feature on this is appalling and very easily cracked.

• Change your passwords on a predefined basis. Forbid the reuse of old passwords, if the system permits this option.
• Have a standard set of minimum guidelines on how strong passwords should be for those people with responsibility for commerically important data.
• Have clear policies about shared password management, taking into account the presence of temporary staff; for each shared project, have a designated policy manager.
• If multiple passwords are to be stored in a file on a computer, ensure the file is properly secured using encryption, with specific access rights and knowledge of it delimited in the relevant policy file.
• If on a network, have shared and private folders clearly defined, so that people who may need access to someone else account in case of emergency/absence/illness have access to only what they need, rather than the entire account being accessible. This should include secretaries, and temporary employees.
• Make sure everyone is educated about passwords, their strengths, weaknesses and how to select them.
• For any new software, change all passwords immediately from the default.

See also the following article:
A Password Policy Primer by Vince Barnes (external link)