In the beginning, there was the password and little else. Now, the presence of two-factor authentication, biometrics and other multi-faceted security measures -- often used in conjunction with passwords -- means the days of simple passwords are numbered.
Even if you're using computer passwords in conjunction with other authentication measures, that's all the more reason to make sure the passwords you allow in your organization are strong. To that end, here are some password guidelines derived from experts who set policies like this in their own organizations.
Ground rules put you on the right path
Let's start with a few basic password pointers that cut down on the most obvious password weaknesses:
- Never allow users to create a password that is less than eight letters. The longer the password the better, and eight letters are about the limit for what people can remember without having to write things down. For that reason, anything more than eight letters is not recommended.
- Never allow passwords that are dictionary words. If you set password rules, try to force the inclusion of at least one number somewhere to deter people from using such words. (There are some ways this rule can be bent, however; see the "Pre-Generated Passwords" section below.)
- Rotate passwords regularly whenever possible. Set a time period for passwords to expire, and do not allow a password to be re-used if you can help it. Windows has policy settings that enforce this rule. Use them.
- Use a sensible password-lockout policy. If you choose to lock an account after multiple failed logons, set the threshold at a sane level that will not inconvenience users but will still foil scripted break-ins. You can lock out someone for ten minutes after, say, ten failed password attempts (more than enough for even the most butterfingered user) and report any additional login failures beyond that as a way to determine if someone may be trying to systematically hack his way through.
The native Windows password-enforcement system has some limitations in terms of what it can look for, so it never hurts to get additional help if you aren't too confident with the passwords people are choosing. Anixis' Password Policy Enforcer might be able to help with that. It allows the administrator to supply custom feedback for badly chosen passwords and can even screen chosen passwords through a dictionary system to make it less likely that people will choose weak passwords.
Long mnemonics make handy cheat sheets
One of the simplest and most effective tricks I've seen for creating reasonably secure computer passwords is to use a long mnemonic. Here's how this works: Take a line from a favorite song or poem and convert it into a password by using the first letter of each word. "Ticking away the moments that make up the dull day" becomes tatmtmutdd -- maybe not easy to type at first, but relatively easy to remember, and that's what matters. For additional security, try a song lyric that has numbers in it as well -- "Sixteen vestal virgins leaving for the coast" becomes 16vvlftc.
To add even more security to this scheme, use character substitutions -- @ signs for a's, # for d's and so on. This would take tatmtmutdd above and render it as something like t@tmtmut##, a password that would not break easily under a brute-force attack.
Another way to prevent people from picking weak passwords is to generate passwords for them. Users can put up a lot of resistance to pre-generated passwords simply because they don't want to be assigned one that they may have trouble remembering. You can get around this problem in a couple of ways. One of them is to generate passwords from two or more existing dictionary words, and modify them in such a way that they cannot be easily guessed through a dictionary attack. This is the method adopted by a program called the Random Password Generator, which you can use to easily mass-generate passwords for users.
Another interesting solution I've seen for difficult-to-remember passwords is a system that creates passwords that resemble words in the English language but aren't actually words. They can be pronounced, since they're constructed according to statistical approximations of the way phonemes appear in English, but they don't correspond to any real English words. Tom Van Vleck has created an online Java-based generator for such passwords, and there's a standalone password generator application for both Windows and Macintosh called XYZZY, which uses the same algorithm.
Simplifying browser-based logins
ABOUT THE AUTHOR:
Serdar Yegulalp has been writing about computers and IT for more than 15 years for a variety of publications, including SearchWinIT.com, SearchExchange.com, InformationWeek and Windows magazine.
This was first published in November 2008