What makes a good password?
The challenge today is, of course, that most of us have too many accounts on too many systems. Remembering a very large number of passwords is nearly impossible. We systems administrators have an especially challenging time because we often have to remember dozens if not hundreds of passwords for the systems we manage in addition to those associated with our personal accounts on facebook, twitter, gmail, linkedin and a pile of other systems we use.
So how should we define what constitutes a good password and how do we go about enforcing good choices?
For one thing, the length of a password makes a difference. This cannot be stressed enough. For every character that is added to a password, the number of possible passwords increases as many as 90 times if the full set of 26 lowercase letters, 26 uppercase letters, 10 digits, and 30 or so special characters can be used. It's simply a matter of math.
In the last couple of years, the password length recommended by security professionals has gone from eight to twelve characters. And that's twelve characters at a minimum! That's a huge increase! This recommendation derives from some research that was performed at the Georgia Institute of Technology in which researchers used clusters of
graphic cards to crack eight-character passwords and found that they could do it in less than two hours. Yes, graphics processors -- system components designed for highly parallel
processing in order to meet the needs of today's gamers -- were deployed in password cracking. Here's a link to help you understand the implications of what they discovered and made public in August of 2010:
Where seven character passwords have now been classified as "hopelessly inadequate", the researchers involved in the study concluded that twelves character passwords would require more than 17,000 years to crack with today's technology.
The Duh Factor
Of course, length alone doesn't make a password good if the password is predictable or easy to guess. LadyGaga isn't a good password for anyone, but is less so for a devoted fan. 1234567890 is never good, even though it has ten characters and password1234 isn't much better, even though it has twelve.
Passwords should not be guessable, predictable, or reusable. They should never be based on words you'd find in the dictionary -- of any language whatsoever. Common letter substitutions like 0 for "o" and 4 for "a" really don't make much difference.
Most security experts agree that passwords should be easy to remember, but hard to guess. The "easy to remember" part means you shouldn't get yourself locked out of systems you need to use. nor should you be tempted to write your passwords on anything in your work area. Writing down password clues can be acceptable, especially if the clue that jogs your mind wouldn't allow someone -- even someone who knows you well -- to reconstruct your password.
One option for ensuring password complexity is to use the really tough passwords that password safes generate. You won't remember passwords like GdzIQaZyVaFgbh7dlu46 (that's 20 characters!). In fact, they can be painful to use at all unless you can copy and paste them as you log in. But they'll be remarkably difficult to crack. This can be a good approach for those passwords you only need to use now and then, but likely not for those you use many times every day.
If using a password safe, you need to be very careful when selecting the password you will use to open the safe. If it's one you won't remember, you can lose access to all of your stored passwords. If it's not a good password, all of your accounts could be at risk. Both your login password and the one you use to unlock your safe should be well constructed (adequately long and complex) and memorable.
For those passwords you have to remember, picking a phrase like "I want to be at the beach" and encoding it as "iw2b@theBeach" might work just fine. "I want to see you at Chuck E Cheese's" could be "iw2cu@ChECh!". Even your friends who know you hang out at Chuck E. Cheese's aren't likely to guess this password. Plus you could adopt the "iw2b@" or "iw2cu@" phrase as a theme for some period of time, adding various endings for different systems. In fact, the various endings could have some vague association with the target systems such that each password is unique but still relatively easy for you to remember.
Some systems will even allow you to use full sentences as passwords. For these, you might try a password like "I can't wait to log out" for a system you really don't enjoy using. That password might be both memorable and cathartic as the same time.
Getting your users to choose good passwords requires that you define for them what a good password is and that you set a good example. You shouldn't use predictable passwords even temporarily. If every time you set up a new account, the password is "ChangeMe" or the account name with "123" tacked on the end, you'll have a growing population of people who know the initial password for every account you set up. You'll also be suggesting, whether you mean to or not, that passwords like these are acceptable.
Once you determine what your users' passwords ought to look like, most systems will allow you to enforce password complexity in keeping with your chosen password policy. Setting good password complexity rules ensures that your users will not be able to assign themselves passwords which are easy to guess. In my next few posts, we'll look at how password complexity can be enforced on Linux, Solaris, and Active Directory.