Information Technology Reference
In-Depth Information
eight-character non-null password will now require over 6 quadrillion
(6 million, billion) tests in order to check all possible combinations.
Complexity capability is limited in some cases by the available charac-
ter sets, in that legacy systems may only use 7-bit character sets instead
of the more common 8-bit systems. Using extended 2-byte character
sets for complex passwords, however, can allow complexity to expand
brute-force testing requirements by several orders of magnitude.
•
Age.
By imposing rules on how long a password may be used, brute-
force attacks on complex lengthy passwords will not conclude all
possible tests before a new password is selected. Limits on the mini-
mum age of passwords, such as one user-originated change per day,
can help to curb the tendency to change passwords back to well-
known settings even when a history of the last few attempts is put
into place to avoid password reuse.
•
Obscurity.
Strong passwords are not derived from easily guessed
information, such as the names of family members or pets, impor-
tant dates, or common nicknames and interests. Because automated
hacking tools can rapidly test passwords against word dictionaries,
strong passwords should not be based on standard words in the local
language. The use of an easily remembered pass phrase can help in
recall of longer, more-difficult-to-guess password combinations.
Note:
The specific standards for minimum acceptable password strength
vary from one organization to another, and additional requirements may
be imposed on service and administrative accounts with elevated privi-
leges. I recommend as an absolute minimum the following settings:
1. Passwords must be at least eight characters in length.
2. Passwords must not be null.
3. User passwords should expire regularly and automatically. The
interval between password expiration processes should be consid-
ered during authentication planning. Whereas brute-force password
guessing was once a weakness best overcome by regular exchange
of passwords, modern enterprises must rely on automatic account
lockouts and attack detection systems to remain effective in the face
of supercomputing power on the attacker's desktop. Short password
change cycles cause users to write down new passwords or to use
