written 5.3 years ago by |
Weak Passwords
A weak password is one, which could be easily guessed, short, common and a system default passwords, that could be easily found by executing a brute force attack and by using a subset of all possible passwords, such as words in the dictionary, proper names and words based on the username or common variations on these themes. Passwords that can be easily guessed by acquaintances of the netizens (such as date of birth, pet's name and spouses' name) are considered to be very weak. Here are some of the examples of "weak, passwords":
- Susan: Common personal name;
- aaaa: Repeated letters, can be guessed;
- rover: Common name for a pet, also a dictionary word;
- abc123: Can be easily guessed;
- admin: Can be easily guessed;
- 1234: Can be easily guessed;
- QWERTY: A sequence of adjacent letters on many keyboards;
- 12/3/75: Date, possibly of personal importance;
- nbusr 123: Probably a username, and if so, can be very easily guessed;
- password: Used very often - trivially guessed;
- December 12: Using the date of a forced password change is very common.
Strong Passwords
A strong password is long enough, random or otherwise difficult to guess - producible only by the user who chooses it. The length of time deemed to be too long will vary with the attacker, the attacker's resources, the ease with which a password can be tried and the value of the password to the attacker. A student's password might not be worth more than a few seconds of computer time, while a password controlling access to a large bank's electronic money transfer system might be worth many weeks of computer time for trying to crack it. Here are some examples of strong passwords:
- Convert $£ 100$ to Euros!: Such phrases are long, memorable and contain an extended symbol to increase the strength of the password.
- 382465304H: It is mix of numbers and a letter at the end, usually used on mass user accounts and such passwords can be generated randomly, for example, in schools and business.
- MoOoOfIn245679: It is long with both alphabets and numerals.
- t3wahSetye T4: It is not a dictionary word; however, it has both alphabets and numerals.
Random Passwords
Password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols, when allowed, for the same number of characters. The difficulty in remembering such a password increases the chance that the user will write down the password, which makes it more vulnerable to a different attack. Whether this represents a net reduction in security depends on whether the primary threat to security is internal (e.g., social engineering) or external. A password can, at first sight, be random, but if you-really examine it, it is just a pattern. One of these types of passwords is 26845. Although short, it is not easily guessed. However, the person who created the password is able to remember it because it is just the four direction keys on the square number board plus a five in the middle.
The general guidelines applicable to the password policies, which can be implemented organization-wide, are as follows:
- Passwords and user logon identities (IDs) should be unique to each authorized user.
- Passwords should consist of a minimum of eight alphanumeric characters (no common names or phrases).
- There should be computer-controlled lists of prescribed password rules and periodic testing (e.g., letter and number sequences, character repetition, initials, common words and standard names) to identify any password weaknesses.
- Passwords should be kept private, that is, not shared with friends, colleagues, etc. They shall not be coded into programs or noted down anywhere.
- Passwords shall be changed every 30/45 or less. Most operating systems (OSs) can enforce a password with an automatic expiration and prevent repeated or reused passwords.
- User accounts should be frozen after five failed logon attempts. All erroneous password entries should be recorded in an audit log for later inspection and action, as necessary.
- Sessions should be suspended after 15 minutes (or other specified period) of inactivity and require the passwords to be re-entered.
- Successful logons should display the date and time of the last logon and logoff.
- Logon IDs and passwords should be suspended after a specified period of non-use.