PASSWORD SECURITY
Create strong passwords
Strong passwords are important protections to help you have safer online transactions.
Keys to password strength: length and complexity
An ideal password is long and has letters, punctuation, symbols, and numbers.
· Whenever possible, use at least 14 characters or more.
· The greater the variety of characters in your password, the better.
· Use the entire keyboard, not just the letters and characters you use or see most often.
Create a strong password you can remember
There are many ways to create a long, complex password. Here is one way that may make remembering it easier:
|
What to do |
Suggestion |
Example |
|
Start with a sentence or two (about 10 words total). |
Think of something meaningful to you. |
Long and complex passwords are safest. I keep mine secret. (10 words) |
|
Turn your sentences into a row of letters. |
Use the first letter of each word. |
lacpasikms (10 characters) |
|
Add complexity. |
Make only the letters in the first half of the alphabet uppercase. |
lACpAsIKMs (10 characters) |
|
Add length with numbers. |
Put two numbers that are meaningful to you between the two sentences. |
lACpAs56IKMs (12 characters) |
|
Add length with punctuation. |
Put a punctuation mark at the beginning. |
?lACpAs56IKMs (13 characters) |
|
Add length with symbols. |
Put a symbol at the end. |
?lACpAs56IKMs" (14 characters) |
Test your password with a password checker
A password checker evaluates your password's strength automatically.
Protect your passwords from prying eyes
· The easiest way to "remember" passwords is to write them down.
It is okay to write passwords down, but keep them secure.
Common password pitfalls to avoid
Cyber criminals use sophisticated tools that can rapidly decipher passwords.
Avoid creating passwords using:
· Dictionary words in any language.
Words in all languages are vulnerable.
· Words spelled backwards, common misspellings, and abbreviations.
Words in all languages are vulnerable.
· Sequences or repeated characters.
Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard (qwerty).
· Personal information.
Your name, birthday, driver's license, passport number, or similar information.
5 tips to help keep your passwords secret
Treat your passwords with as much care as you treat the information that they protect.
Use strong passwords to log on to your computer and to any site where you enter your credit card number, or any financial or personal information—including social networking sites.
1. Never provide your password over e-mail or in response to an e-mail request.
· Internet "phishing" scams use fraudulent e-mail messages to entice you to reveal your user names and passwords, steal your identity, and more. Learn more about phishing scams and how to deal with online fraud.
2. Do not type passwords on computers that you do not control
· Computers such as those in Internet cafes, computer labs, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing.
· Cyber criminals can purchase keystroke logging devices which gather information typed on a computer, including passwords.
3. Don't reveal passwords to others
· Keep your passwords hidden from friends or family members (especially children) who could pass them on to other, less trustworthy individuals.
4. Protect any recorded passwords
· Don't store passwords on a file in your computer, because criminals will look there first.
· Keep your record of the passwords you use in a safe, secure place.
5. Use more than one password
· Use different passwords for different Web sites and services.
Best practices
Create an extensive defense model.
- Educate your users about how to best protect their accounts from unauthorized attacks. For
more information, see Encourage your users to follow best practices for password protection.
- Use the system key utility (Syskey) on computers throughout your network. The system key
utility uses strong encryption techniques to secure account password information that is stored
in the Security Accounts Manager (SAM) database.
Define password policy that ensures that every user is following the password guidelines that you
decide are appropriate. For more information, see Define password policy so that all user accounts
are protected with strong passwords.
- Consider whether implementing account lockout policy is appropriate for your organization. Be
cautious when defining account lockout policy.
Encourage your users to follow best practices for password protection.
- Always use strong passwords.
- If passwords must be written down on a piece of paper, store the paper in a secure place and
destroy it when it is no longer needed.
- Never share passwords with anyone.
- Use different passwords for all user accounts.
- Change passwords immediately if they may have been compromised.
- Be careful about where passwords are saved on computers. Some dialog boxes, such as those
for remote access and other telephone connections, present an option to save or remember a
password. Selecting this option poses a potential security threat.
Define password policy so that all user accounts are protected with strong passwords.
Define the Enforce password history policy setting so that several previous passwords are remembered. With this policy setting, users cannot use the same password when their password expires.
Define the Maximum password age policy setting so that passwords expire as often as necessary for your environment, typically, every 30 to 90 days. With this policy setting, if an attacker cracks a password, the attacker only has access to the network until the password expires.
Define the Minimum password age policy setting so that passwords cannot be changed until they are more than a certain number of days old. This policy setting works in combination with the Enforce password history policy setting. If a minimum password age is defined, users cannot repeatedly change their passwords to get around the Enforce password history policy setting and then use their original password. Users must wait the specified number of days to change their passwords.
Define a Minimum password length policy setting so that passwords must consist of at least a specified number of characters. Long passwords--seven or more characters--are usually stronger than short ones. With this policy setting, users cannot use blank passwords, and they have to create passwords that are a certain number of characters long.
Enable the Password must meet complexity requirements policy setting. This policy setting checks all new passwords to ensure that they meet basic strong password requirements.
Be cautious when defining account lockout policy.
Account lockout policy should not be applied haphazardly. While you increase the probability of thwarting an unauthorized attack on your organization with account lockout policy, you can also unintentionally lock out authorized users, which can be quite costly for your organization.
If you decide to apply account lockout policy, set the Account lockout threshold policy setting to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.
Authorized users can be locked out if they change their passwords on one computer, but not on another computer. The computer that is still using the old password will continuously attempt to authenticate the user with the wrong password, and it will eventually lock out the user account. This might be a costly consequence of defining account lockout policy, because the authorized users cannot access network resources until their accounts are restored. This issue does not exist for organizations that only use domain controllers that are running Windows Server 2003 family operating systems.
Example Password Policy
- Never write passwords down.
- Never send a password through email.
- Never include a password in a non-encrypted stored document.
- Never tell anyone your password.
- Never reveal your password over the telephone.
- Never hint at the format of your password.
- Never reveal or hint at your password on a form on the internet.
- Never use the "Remember Password" feature of application programs such as Internet Explorer, your email program, or any other program.
- Never use your corporate or network password on an account over the internet which does not have a secure login where the web browser address starts with https:// rather than http://
- Report any suspicion of your password being broken to your IT computer security office.
- If anyone asks for your password, refer them to your IT computer security office.
- Don't use common acronyms as part of your password.
- Don't use common words or reverse spelling of words in part of your password.
- Don't use names of people or places as part of your password.
- Don't use part of your login name in your password.
- Don't use parts of numbers easily remembered such as phone numbers, social security numbers, or street addresses.
- Be careful about letting someone see you type your password.
Password Requirements (subject to change)
Those setting password requirements must remember that making the password rules too difficult may actually decrease security if users decide the rules are impossible or too difficult to meet. If passwords are changed too often, users may tend to write them down or make their password a variant of an old password which an attacker with the old password could guess. The following password requirements will be set by the IT security department:
- Minimum Length - 8 characters recommended
- Maximum Length - 14 characters
- Minimum complexity - No dictionary words included. Passwords should use three of four of the following four types of characters:
- Lowercase
- Uppercase
- Numbers
- Special characters such as!@#$%^&*(){}[]
- Passwords are case sensitive and the user name or login ID is not case sensitive.
- Password history - Require a number of unique passwords before an old password may be reused. This number should be no less than 24.
- Maximum password age - 60 days
- Minimum password age - 2 days
- Store passwords using reversible encryption - This should not be done without special authorization by the IT department since it would reduce the security of the user's password.
- Account lockout threshold - 4 failed login attempts
- Reset account lockout after - The time it takes between bad login attempts before the count of bad login attempts is cleared. The recommended value as of the date of writing this article is 20 minutes. This means if there are three bad attempts in 20 minutes, the account would be locked.
- Account lockout duration - Some experts recommend that the administrator reset the account lockout so they are aware of possible break in attempts on the network. However this will cause a great deal of additional help desk calls. Therefore depending on the situation, the account lockout should be between 30 minutes and 2 hours.
- Password protected screen savers should be enabled and should protect the computer within 5 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should be in the habit of not leaving their computers unlocked. They can press the CTRL-ALT-DEL keys and select "Lock Computer".
- Rules that apply to passwords apply to pass phrases which are used for public/private key authentication
Choosing Passwords
Use password choosing tips as shown at http://www.comptechdoc.org/docs/ctdp/howtopass/ and be sure your passwords meet the minimum guidelines.
Enforcement
Since password security is critical to the security of the organization and everyone, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal.
Other Considerations
Administrator passwords should be protected very carefully. Administrator accounts should have the minimum access to perform their function. Administrator accounts should not be shared.
