Data has nowadays become our most valuable asset which needs to be protected at any cost. Data can be protected in many ways; however, the most common technique to protect information is with the use of passwords.
A password consists of a string of characters which is required to gain access to a resource, such as a network, document or database. With the use of such a password (generally in conjunction with a username) one is able to prove their identity and ultimately access the resource required. As with every security implementation, there exist a number of ways to counterfeit such security practices.
Over the past years a number of ways to crack passwords have been developed such as Brute-force attacks and dictionary attacks. Brute-force attacks attempt to guess the password until a successful guess occurs, whilst dictionary attacks uses a dictionary file containing a number of common words to attempt to find the user’s password. A number of hybrids have evolved which try combinations of these two methods such as rainbow tables.
With the evolution of such password cracking technologies, one needs to ensure that the password being used to protect your system and data must reach a certain complexity level, which will hinder the possibility of your password being cracked.
This blog entry describes different types of password that can be used and their efficiency and effectiveness.
These passwords generally consist of a single word such as a name of a pet or a single word which is normally found in a dictionary. It is unwise to use such passwords given that they are easily guessed with the use of dictionary attacks. An example of a dictionary password is ‘world’.
Passwords containing Non-Alphanumeric Characters
Increasing password complexity reduces the risk of an attacker from guessing your password. Most security experts believe that a password should consist of a selection of numbers, letters (both uppercase and lowercase) and non-alphanumeric characters such as $, %, !. Such passwords are difficult to guess with your typical dictionary attack since the password would not be found within your dictionary file. An example of such as password is ’Pr0f3$$10n41’, in which specific characters are replaced with specific non-alphanumeric characters. However, modern dictionary attack applications being used to crack passwords also have an option to replace standard characters with non-alphanumeric ones, making this password vulnerable to modern dictionary attacks.
An effective implementation of this technique is to gather a series of different characters and place them together such ‘A8!bfe1(3’ which makes it very difficult to cracked using a dictionary attack, however such passwords are hard to remember and too complex for an average user.
Passphrases are longer than your average password, and they consist of a number of words which make it much harder to guess by the attacker through brute force or dictionary attacks. An example of a passphrase password would be ‘iliveinahouse’. Passphrases complexity can be increased by adding some form of punctuation between words such as underscores ‘_’ or commas ‘,’
Symbols which are not found on a keyboard can also been used within passwords. Symbols can easily be used as passwords by holding the ALT key and then typing in the symbol number on the number pad. An example of such a password is ‘Registered®Password’. The ® character is inserted in the password by typing ALT-0174. Other symbols that can be used are: Alt-0189 – ½ ; Alt-0167 – § ; Alt-0169 – ©.
Apart from the fact that traditional password cracking techniques do not normally take such symbols into consideration, another advantage that symbols offer is that it helps protect against shoulder surfing.
Symbols are even more effective when used in conjunction with passphrases and non-alphanumeric passwords.
The longer your password, the more secure it is. It is recommended to have your passwords as long as possible, however ensure that they are long enough for you to remember. Security experts believe that passwords should be a minimum of 10 characters long.
Any system with a weak password within your network can prove to be an entry point for an attacker; therefore it is critical to improve the overall complexity of passwords used within your organization. Most operating systems can now be configured to only accept passwords of a certain complexity. Password complexity security policies can be introduced within a domain, and all passwords which are required by the operating system must adhere to such policies or otherwise will not be rejected by the Operating System. There are other password related policies which help deter potential attackers such as enforcing password length, expiring passwords after certain amount of days and prohibiting the re-use of passwords, but this is a discussion for a separate blog entry.