Password Security

[goldenmessiah]

And let's not forget....

The password is only HALF of the security in use! Usernames form the other half. If usernames are easily guessed, or given away, then that is half the battle won for a potential intruder.

I agree with other posters that passwords should comprise ANY character available! Extended, Capital and numeric. Setting weak passwords only encourages intruders, and when they break ONE, they will probably attempt more, based on the ease of breaking the first.

There are several good tools that you can use to evaluate password strength, and most have already been mentioned here. Make your passwords hard, change them regularly, and most importantly, harden your network. If your security posture is open to attack, don't stop to ask "Why Me?" when you get hit. OK, you have a firewall! But is it configured correctly? What about your perimeter router? Access Lists?

sorry for the rant! ;-)

[SirDice]

Originally posted here by zepherin
equation on password possibilities. The equation is x^n power with x being the possible number of characters and n being the amount of characters long the password is so if you have a 4 character pure numeric password you have a 10^4 amount of passwords possible or 1000. which makes sense because you have a choice between 0 - 9999. With a word you have a 26^n amount of possibles with n being the length of the word. and if you ad a number to it it changes the equation to 36^n and if you ad a symbol like a * or & then it becomes 46^n.

Almost correct. If you have a maximum of 4 characters 0..9 you can have:

1 empty password
10 1 character passwords
100 2 character passwords
1000 3 character passwords
10000 4 character passwords.

Giving a total of 11111 passwords.

To put it in a formula (to prove the strength) i use this one:

S= (B^(L+1) -1) / B-1 where B is the number of different characters (A..Z => B=26), L is the maximum password length, S will give you the total amount of possible passwords.

If you have a minimal amount of characters (say characters 0..9 min. 3 max. 6)

Calculate Smax with B=10 and L=6.
Calculate Smin with B=10 and L=3. Subtract Smin from Smax.

Divide S by the tries/second (L0pht will do 1000000 tries/second on a 500MHz machine) and you'll know how long it takes for all the passwords to be bruteforced. The mean time for a cracked password will be half this time.

[Nizead]

In a similar vein to roswell, I make up words. For example - plypchimion blurhrymony might become p17PcH1m10N6LurHr7M0ny or something like that. Basically any assemblage of 'sounds' converted to caps and numbers.

[spetard]

I do security testing, in an average enviroment a strong password ( 14+ chrs upper & lower case alpha numeric with special chrs) can be cracked by simple progs like l0pht & john in 39 days. you want to set you password max age to a max of 30, and the min age to a min of 2 with the last 12 -15 passwords remembered. this will help to increse security, oh and make the at lease 8 chrs not 6

[PM8228]

Originally posted here by roswell1329
I don't know if this is exactly on track with the original question, but here's a pretty good password creating scheme that I suggest to most people:

1) Think of a non-sensical phrase of 8 or more words such as "My Dog Skip Just Became An AntiOnline Member"
2) Take the first letter of each word (mdsjbaam)
3) convert letters to numbers or symbols that look like them wherever possible (md$j844m)
4) Use a capitalization scheme like first and last letter (Md$j844M)

"Md$j844M", is an excellent password by most standards (contains a mix of upper/lower case letters, contains symbols, numbers, and alpha characters, and is the standard maximum of 8 characters long), and the phrase makes it somewhat easy to remember. You could make the password longer (most systems with an 8-character max ignore any characters after 8, so your password could be much longer).

Good password choice is a vitally important part of system security that most people ignore. How many times have we all seen 'password' as someone's password? Ugh.

I agree however, I believe the length should be something at least 9 characters, and go with everything you said above. Another security risk is shoulder serfing. I am still in high school, but if you walk past the office there is a clear glass window, and anybody could shoulder serf all day.
I believe that on some crackers/auditors such as L0pht, you can check for letter/symbol substitution, but I am not 100% sure about it.