Eight is too many characters for strong passwords

By Eric Schultze, Contributor 15 Sep 2009 | SearchEnterpriseDesktop.com

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

Because of human nature, a policy that requires "password complexity" and a minimum password length of eight will result in the majority of users picking passwords that are exactly eight characters long. The complexity part -- usually a number or special character -- often ends up as the eighth character of the password. This complex eight-character password becomes two passwords: a seven-character, all-uppercase alphabetical password, and a one-character number or special-character password.

Let's look at the password "Snowman!" This password meets typical complexity requirements -- it's eight characters long, uses uppercase and lowercase letters and includes a special character.

When a computer stores the LanMan hash for this password, it first makes the characters uppercase, then chops the password into two, seven-byte halves: "SNOWMAN" and "!" (Note: The LanMan hash is not stored by default on Vista and Windows 7 systems).

The first half of the password can be cracked in an hour or less with a password cracker. The second half can be cracked in less than a minute via the full-character-set options in the password cracker. Put it all together, and a typical eight-character complex password can be cracked in less than an hour.

However, if the minimum password length is seven characters, most users will make their passwords exactly that long. This means the complexity (the number or special character) is within the first seven characters of the LanMan hash. The cracking program would need to run the entire character set over the entire seven-character range, which will take a long time. Using this analogy, a seven-character complex password usually takes longer to crack than a complex password that's eight to 12 characters long.

You could set a 14-character minimum password length, but this may upset your users and create a run on Post-it notes (under the keyboard, in the desk drawer, etc.).

If you insist upon using a minimum password length of eight characters, make sure to set the NoLMHash registry key on all desktops, servers and domain controllers so as not to create the LanMan hash. Then, run some freeware tools to delete all existing LanMan hashes from the password history, because the prior passwords may be used to help guess current passwords.

Better yet, tell users to use a passphrase instead of a password. A passphrase is a combination of words or an entire sentence -- including punctuation -- like "I love my little blue car." This meets the minimum password-length requirement and has all the elements of a complex password including case sensitivity and special characters.

In a recent security training class, I conducted the following experiment:

Everybody on one side of the classroom was asked to think of a password they would typically use at work. Then I asked the people on the other side of the classroom to think of a passphrase.

I asked the first side of the room (password) to count the length of the passwords they thought of, and I asked the others (passphrase) to count the length of their passphrases. The results from the first side are normally between seven and 13 characters long. The second side of the classroom produces passphrases anywhere from 20 to 60 characters long (but rarely shorter than 15).

Asking users to think of passwords as "passphrases" is a good way to encourage strong passwords.

In addition, aside from being strong passwords, passphrases are often easier to remember and are simpler to change every 60 days. Your users will have more fun remembering their passwords, and your network will be more secure.

ABOUT THE AUTHOR:

Eric Schultze Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.

Tags: User passwords and network permissions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT User passwords and network permissions Nine common password oversights to avoid Secure your Windows systems with proper password practices Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist Reduce resistance to creating strong computer passwords Unauthenticated vs. authenticated security testing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary key-value pair  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary