September 27, 2013 – Over the past few weeks, we have discussed the security risks surrounding e-mail, portable devices and public Wi-Fi usage, in addition to providing some useful tips on how to mitigate such risks. Now, while each of the previous topics were of great importance in their own right, it is possible that they were not applicable to your organization. However, the same cannot be said for today’s topic. That is, if your organization uses a computer, then password management is of the utmost importance.
Now, I know what you may be thinking: “I’ve heard this all before. Next topic!” But, before you go, let me assure you that this article will not simply discuss the importance of a strong password. That is, by the end of this article, you will not only have a newfound respect for password management, but you will be leaving with an abundance of tips that you can begin to use to protect both, your business and personal information.
Why are strong passwords important?
Beginning with the most important aspect of password management, we must discuss password creation. However, before we begin, it is important to remember that no matter how strong a password is – it can always be cracked. Now, this doesn’t mean that you shouldn’t utilize strong passwords, as according to the 2012 Verizon Data Breach Report, over 79 percent of breached companies were victims of opportunity. Therefore, the goal of a strong password isn’t for it to be impenetrable, more so the focus is on using a password that would present a significant challenge to a password cracker.
Frequently, many people believe that there is a direct correlation between the length of a password and its strength. But, what if I were to tell you that free software exists, such as Ophcrack, that has the ability to crack any 14 character alphanumeric Windows password by sheer brute force, and it can accomplish this task within minutes? Now, before you run off and change all of your passwords to 15 characters, we should first discuss a more practical solution.
How do I create a strong password?
For programs such as Ophcrack, the simple addition of special characters to your password will render the software ineffective; however, for higher-end programs, simply adding special characters will not be enough. Therefore, to make your password even stronger, it is suggested that you avoid using words that can be found in the dictionary. Why is that? Well, through the use of what are called rainbow tables, most password cracking software only searches for words contained within the dictionary. Now, I realize that with an abundance of passwords, it may seem like a daunting challenge to begin incorporating special characters and non-dictionary words; however, there are a couple of tricks that can help make the process more manageable.
First, instead of thinking of your password as a specific word, start thinking of it as a specific phrase. For example, take the phrase “The Bills will win the Super Bowl in 2014.” Aside from the obvious factuality of this statement, it can also be used to create a strong password. To demonstrate how this can be so, let us begin by taking the first letter of each word and creating a password out of the result. Therefore, instead of “The Bills will win the Super Bowl in 2014”, we now have “TBwwtSBi2014”. So, we now have a twelve character, non-dictionary password, which includes both, numbers and upper/lowercase letters.
Continuing to make the password even stronger, we must now incorporate special characters. An easy way to accomplish such a task is by replacing certain letters with a corresponding special character. So, instead of using the letter “a”, we can use the “@” symbol. Or, in relation to our example, we would replace the letter “S” with the “$” character. Therefore, instead of “TBwwtSBi2014”, our password will now be “TBwwt$Bi2014”. And, with that final change, we now have a non-dictionary password that contains: uppercase letters, lowercase letters, numbers, and a special character.
Five tips for creating a strong password
- Four digits may be okay for your banking PIN, but your passwords should be at least 8 characters.
- This isn’t Scrabble, so leave the dictionary alone and use non-dictionary words for your password.
- Make Pythagoras, Euclid and the Count from Sesame Street proud by using numbers in your password.
- Use UPPERCASE and lowercase letters in your password.
- Don’t forget to add something a little special to your password – a special character, that is.
In our next installment
Okay, so we have created a strong password, but now how are we going to manage it? Join us again in two weeks when we will discuss how you can effectively manage your newly created password.
If you are unsure that your business is adequately protected, our Information Security Baseline Review is an ideal starting point for answering all of your questions, and providing you and your key managers with a basic education of both the threats your company’s information faces and what practical approaches you can take to protect it.
Remember, a false sense of security is worse than being unsure. We have a variety of tools and resources to help you. I encourage you to call to take proactive action.
About the Author
William Prohn CISSP, CISA, CGEIT, CRISC
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.