Article by Jill Liles
The problem of weak, guessable security passwords isn’t a new one, but it’s not going away.
In fact it’s getting worse, despite pleading from IT professionals to choose tough-to-guess passwords. Workers are still disconcertingly likely to come up with something like “password1!” or simply attach a few numbers like “123,” to the end of a word.
As users have to create several passwords for different systems and change them every 60 or 90 days, it’s little wonder they default to the least complicated password their systems allow and make only minor variations when forced to change them.
Unfortunately, such passwords are easy to guess. At the other end of the scale are passwords software programs randomly generated, which are difficult for users to remember (leading them to write these passwords down which defeats the effort).
In a recent paper coauthored by Cisco, Florida State University, and Redjack LLC, researchers examined how different password requirements affect password strength — such as requiring a minimal password length or the addition of a special character.
The researchers discovered that such policies usually don’t provide greater security since hackers are well-versed in these tactics and can use them to guess passwords and access accounts.
For instance, hackers know that when users are required to use a special character in a password, they can simply append that character to the end of the password.
A better practice say the researchers, is an external password creation tool that changes a password after it’s created to add a guaranteed amount of randomness — for example, adding two random digits to the end of a password.
This allows users to choose a password that they are likely to remember while making it difficult for hackers to guess.
Another option is to implement a “judgmental” password policy which will reject a password instantly based on its estimated strength and suggest a stronger one.
Or administrators could implement password protection software, which lets users remember only one strong master password, leaving the application to store encrypted passwords.
Excerpted and adapted from the Cisco 2010 Annual Security Report
Cross-posted from Global Knowledge