In the first article of this series, we will take a look at the basics of password security as well as a few basic methods of attack. In the second article, we will focus on how Windows handles passwords and methods of attacking that process.
What makes a password secure?
- The longer the password is the more secure it is
(Number of possible characters) ^ (Length of the password)
Let's say our hypothetical password is made up of only uppercase letters and can be only one letter long. That gives us 26^1 or 26 possible password combinations. That wouldn't take us too long to guess. Now what if we allowed passwords with exactly three characters? That would leave us with 26^3 or 17,576 possible password combinations. Simply by forcing our users to remember 2 additional letters we increased the number of passwords our attacker would have to guess by a factor of 676! The lesson here is longer passwords are exponentially stronger passwords.
- The more types of characters in a password the more secure it is
- The more random a password is the more secure it is
Even the least sophisticated attacker is likely to try this avenue of attack first. The web is full of lists of word lists specifically geared towards breaking passwords. Many of the freely available password cracking programs are capible of taking in a list of dictionary words and trying permutations of each word until a password is cracked. Simply changing the letter case (PaSSwOrD instead of password) or adding numbers and symbols in the place of letters (p@ssw0rd instead of password) is no longer sufficient to stop an attack.
One possible defense is to urge your users to use passphrases instead of passwords. A password of, "My cat hates car rides!" is very difficult to crack using traditional methods. I would, however, caution your users to not use a passphrase that could easily be guessed by people that know them well. Also, avoid commonly used phrases.
- The more secret a password is the more secure it is
Enforcing password policies
Wherever possible, you should enforce your company's password policies with technical controls. Where that is not possible you should set up a training program to make users aware of the policies, periodically audit compliance with those policies, and enforce consequences for breaking those policies. Active directory provides settings that control minimum password length as well as ensuring passwords meet a minimum complexity requirement. Unfortunately, active directory does not provide a means of ensuring passwords are not vulnerable to a dictionary based attack. There are several products that add this functionality if your organizations security needs warrant the expense. Ensuring that your users do not write down or share passwords requires constant user training, reminders, and most importantly support from management.