Monday, April 5, 2010

Good Password Practices

The recommendation outlined here are solely based on my current understanding and knowledge, and it is not claimed to be comprehensive or necessary correct.

password

Password, is a string of secret word or phrase known only to the restricted users or groups that is used for authentication, to prove the identity and to grant the access.

Password policy or password security, is vary from the organization. Many policies require a minimum length of characters, typically of 8 characters and some may also impose a combination of upper and lower case of alphanumeric and special characters i.e. @#$^.  Some may also insist on prohibit to use words found from dictionary or user’s personal information e.g. D.O.B. or Identity Card No. (NRIC). The more strict administrator may also prohibits the users to have the same words as the user’s login username or user’s real name.

password-lock In addition, there’s some policies may require the users to change their password periodically e.g. 60 days. Based on my own experience, by implementing such a policy may often makes the users unable to remember their password or always create a weaker password as a result that user unable to come up with many passwords or even encourage the users the write down their password! My own recommendation is rather than having a frequent password change policy, the administrator shall insists the users to create a Strong password on the very first place.

According to some unofficial statistics, there’re about 20% of the users are using very simple or “easy-to-guess” password e.g. “password”, date-of-birth, “123456”, “secret”, your city name. last 4-digits of your NRIC etc.

Here’s the password hacking time based on a ordinary user’s workstation :

Password Hacking

If the hacker were to use a powerful workstation, it may be faster up to 1000 times!!!

Here’re some good practices :

  1. Always use the strong password.
  2. Do not share or reveal the password to anyone.
  3. Never share a computer account if possible.
  4. Never use the same password for more than one account. Or grouped them in category.
  5. Never write down the password.
  6. Never communicate your password over SMS, telephone, email or even instant messaging.
  7. Always logoff the account and clear the Cache.
  8. Immediately change the password once there is any suspicion that it may have been compromised.
  9. Never use the same password for OS password, application password and account password.
  10. Make sure it is not easy to guess.

What’s strong password ?

  • strongpasswordAt least 8 characters.
  • Combination of upper and lower case alphanumeric.
  • Use special character e.g. @#%$^ if possible.
  • Never use a dictionary word
  • Never use your special number e.g. date of birth, identity card number etc.
  • Never use easily guess word based on your personal information e.g. your dog’s name, car number plate etc.
  • Use a Random Password Generator

No comments: