The Password Game

With all the focus on phishing and ransomware (which yes, you need to be protecting your organization from), don't lose sight of the importance of good password management.  You hear security folks talking about strong passwords, or complex passwords, but what does it mean?  and better yet, why is it important?

Answer to the question: "What is a Strong password?"
Strong passwords are by nature harder to compromise by a hacker due to having all of the following characteristics:

• They are complex passwords (made up of alpha, lower case, upper case, numeric, and special characters such as @#$%&?!).
• They are not dictionary words or proper nouns.
• They are long in length (8 is usually recommended, but 10 or more is better)
• They are changed with frequency (45 days is recommended, but 30 days is better)
• They are not recycled (also known as password history, usually recommended that the setting be the last 12 passwords, but a good practice is to never reuse a previous password.)

So to answer the question "Why is it important?", let's go through each of the above points to demonstrate this:

1. Complex Passwords: The reason you don't want to just use alpha and numeric characters is due to the advances in password cracking tools.  Should your password file on your computer or a single password going across the web be captured by a hacker, they will perform what is called a Brute Force attack on the password hash (encoded / encrypted password).  The tools in use will take one character at a time and try to guess what the character is.  If you just use lower case alphabetical characters, then he tool just has to try 26 times on each of your password's characters to figure it out (password would be cracked in milliseconds).  Add different cases, numbers, and special characters, as well as having a long password increases the amount of time it takes a tool to decipher your password.  This is important when we discuss change frequency.
2. Dictionary Words / Proper Nouns -  In the early 2000's someone came up with a tool called Rainbow Crack and created a number of data sets (lists) of dictionary words, first names of people and names of places as well as their corresponding password hash using various encryption ciphers.  In essence, Rainbow crack predetermined what a dictionary word looks like encrypted, and if a password file or hash was captured, this tool using the Rainbow tables turns cracking the password into a database lookup which would instantly give you the full password.  So don't use dictionary words or names.  In fact it is better to not use pass-"words", but a phrase instead.  An example would be something that means something to you only and easy to remember.  Let's say your daughter's name is Sara, she was born in 2008, and you drive a Chevy Cruz.  Your passphrase could be $ar@08CrUzing.
3. Password Length - As mentioned in #1 above, the longer the complex password, the more time it will take to crack if the hash is compromised.  So think like this is a game you are playing, the more complex and longer the password, the more you are increasing your odds of protecting it and decreasing the hackers odds of cracking it before you change it.  Which leads us to the next point,,,,
4. Password Change Frequency - In one of my posts from last year, I applied a Benjamin Franklin quote to changing passwords.  "“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”  So the whole point of coming up with a complex password, that is long, and doesn't have any dictionary words, is to increase the time it takes to crack a password to beyond the point where you change your password.  So if you never change your password, eventually a hacker can crack it.  Therefore, you should change your passwords every 30-45 days.  In theory, by the time a hacker gets your password hash and cracks it, you would have already changed it and the cracked password is now useless.
5. Password History - For the same reason in #4 above, don't reuse an old password, at least not for several change cycles.  The reason being, if you change your password every 30 days, and it takes a hacker 60 days to crack your password, and you reuse the original password, then you defeated the purpose of changing it.

So as demonstrated in the above 5 points, all of these characteristics work together not to prevent a hacker from getting your password, but to prevent a hacker from getting a password that works.  It is a game you are playing, and your goal is to run the clock down on the hacker while you are ahead.

Be Secure!