Network Computingwww.networkcomputing.com

	Issue TOC Print full article Print this page Download as PDF E-Mail this URL Flame the author     In this article Introduction It's All About Risk A Risk-Based Policy Executive Summary Cost Factor Gotchas Make Your Case Online Only: Password Woes? Look to the User Epoll Results

Passwords don't have to be weak. In fact, they can be strong for many applications, provided users make hard-to-guess password choices.

Let's say all users must select passwords that are eight characters long and must include numbers, uppercase and lowercase letters and also common keyboard symbols, of which there are about 30. That yields 90 billion possible passwords, give or take. Add one character to the password, and the number jumps to 2.4 trillion (that's 24 and 12 zeros). It takes a 20-character password to get up to a 128-bit key space.

Of course, all this assumes that users create random passwords, likeJU&8d^%eDRm.*;#weW4Ny5Rg~b&, which is just not the case. Although a password length of 20 characters may yield 131 bits of entropy (the amount of disorder) in the key space, the real number is much, much less. That's because people tend to use passwords that are easy to remember. Popular choices include names, places, dates and common words. If an attacker is attempting to break into an account, the number of combinations to try drops significantly.

So, you require a symbol. But those pesky users won't be outfoxed. Common tactics are to replace letters with similar looking symbols. Often users will run the top key row of a keyboard to satisfy password requirements. Remember, programs like Crack, John the Ripper and L0phtCrack build dictionaries based on rules for mutating words with symbols and numbers, and the rules are developed based on experience.

Your best bet is to run your passwords through a cracker periodically and make every attempt to force users to adopt more complex passwords. Good luck.