Secret passwords are one of the most basic methods of network security. Passwords increase the integrity and confidentiality of a system by limiting access to the person or persons knowing the password. This method may be combined with other authentication methods like security tokens and biometrics to positively identify a person. The security of a password is determined by these five elements:
- The secrecy of the password - As a general rule, the security of a password is cut in half for each person who knows the password. This is one of the largest vulnerabilities exhibited in a password system, as social engineering or just plain old stupidity can compromise the security of a password.
- Resistance to guessing - A good password should not be easily guessed. Passwords based on a person's name, address, family members, pets, birthday, or other commonly known facts about a person are by nature insecure. Other bad passwords are the infamous god, as well as the word password or the number combination 12345 (too many Spaceballs freaks out there).
- Resistance to brute force and dictionary attacks - A good password will at least make the script kiddies work a little bit if they want to crack it. There are three ways to strengthen a password:
- Password length - the longer the better. The minimum recommended password length is six characters, although many network security professionals recommend nine or more.
- Use multiple types of characters. There are four character types: lowercase letters (a-z), uppercase letters (A-Z), numbers (1-9) and special characters (!,@,#,$, etc.). The more types of characters you use, the stronger the password will be. A good recommendation is to use at least three of the four types, and if password complexity is enabled on a Microsoft Windows server, this is mandatory.
- Avoid dictionary words and repetitions of characters, this makes the password much easier to crack. For security reasons, a randomly generated password is the most inherently secure, although this may result in a greater likelihood of a breach in the secrecy of a password, as it is more likely to be written down.
- Password storage security - If there is a failure in this area, all the above steps are useless. Passwords should always be encrypted when they are stored on a server (as well as being encrypted in transmission). The preferred method for this is a one-way hash function, which encrypts the password in a way that cannot be conveniently decrypted. A server must also be physically secure, as an attacker gaining physical access to a server is likely to be able to circumvent normal security measures.
- Password rotation - Passwords should be changed periodically. This reduces the chance of a password being cracked as well as reducing the potential for damage from a compromised password. The length of time between password changes depends on the need for security. A common password duration is one month, and anything less often than quarterly is effectively useless for business purposes.
The level of security applied to a password should be proportional to the value of the information assets the password protects. Obviously, a password protecting top secret information should be much stronger than the password for your World of Warcraft account. But don't forget, if you use the same password for multiple services, it dramatically increases the likelihood that the password will be compromised.