Strong Passwords– Cisco Security Tools

Security systems can rely on three things to prove a user is who they say they are: something they know, something they have, and something they are. Passwords and passphrases are something you know.

A password is a set of characters. A passphrase is a (longer) set of characters pronounceable as a phrase or sentence.

Password strength measures how easily a password can be guessed or discovered using a brute-force attack. A brute-force attack uses software to quickly guess thousands—or even millions—of possible passwords. Password strength is measured by calculating the number of entropy bits, or how many attempts a brute-force attack would need to try before discovering the password. Table 20-2 gives the entropy bits for several common password patterns.

Table 20-2—Password Strength

Once you get past easy-to-guess passwords, according to Table 20-2, adding more symbols, uppercase, lowercase, and other randomness to a password does not make any difference in its strength. The possibility of symbols forces a brute-force attacker to try every possible symbol in every possible character of the password, making the entire password harder to discover.

Suppose you have a 10-character password with the following:

• One-third of the characters are set to uppercase letters.

• One-third of the characters are set to lowercase letters.

• One-third of the characters are set to numbers or symbols.

Compare this password to a 15-character password with the following:

• One character is an uppercase letter.

• One character is either a number or a symbol.

• The remaining 13 characters are lowercase letters.

Which password is more secure? The 15-character password.

Adding more symbols or variations will make the password harder to guess. Still, after a minimal number of additional randomness, more variation will not make a password more challenging to discover through a brute-force attack.

How secure should passwords be? This is not a good question to ask! Users should use the strongest password they can work with (there are human limits) and the system allows.

But, seriously, how secure should a password be? This depends on

• How many times within a period can an attacker try a password?

• How many times can an attacker try a password before the account is locked?

The faster an attacker can attempt a different solution, and the more times an attacker can try, the stronger the password needs to be. For systems that lock out users after three or four tries and can be accessed only via some application interface, a complexity of around 40–60 is probably currently sufficient.

If an attacker might take an entire password file to try guesses as quickly as possible, and there is no limit on the number of tries, the strength must be much higher—at least above 100.

Operators should consider any passwords stored in a file an attacker can take during a breach in this latter category.

Again, however, users should always use their strongest password, within human limitations. Some general guidelines include the following:

• Passwords should be at least eight characters long; longer is better.

• Avoid using the same for two different systems.

• Avoid character repetition.

• Avoid using easy-to-guess information, even if you replace characters with numbers, symbols, etc.

Should users be forced to change their password periodically?

The primary reason for these requirements is to limit the damage an attacker can do with a compromised password.

Attackers using current attack methods can build back doors into most systems in just a few days, so the utility of short-lived passwords is widely questioned.

However, it is important to force users to change their passwords if a file of passwords—even encrypted ones—is taken in a data breach. Once an attacker has a copy of a user’s password in digital format, it is only a matter of time before they discover the password.

Human capacity has been mentioned several times. What does this mean? Humans are

• Poor at creating passwords with a complexity greater than about 40 entropy bits.

• Poor at remembering passwords with a complexity greater than about 40 entropy bits.

One way to counter these limitations is using an SSO system.

Using an SSO system is not possible in all situations.

Using a password manager is the primary way to counter human password limitations. Each system a user accesses can be assigned a different password, randomly generated to have the highest strength possible. A user can have hundreds of passwords, one for each system they access, all high strength, and none repeated.

What about creating a password to unlock the password manager? One common technique is to use a long passphrase.

Nonsense phrases are often perfect. The process might look something like this:

• Choose three or four words, creating a phrase that makes no sense but is still easy to remember.

• Separate the words with a symbol character or number.

• Add in a couple of capital letters at easy-to-remember places in the phrase.

This process often results in a very hard-to-guess and strong passphrase. The longer the phrase, the stronger the passphrase will be.

A second method people often use is

• Write down a sentence of 10 to 15 words. Make certain this sentence is easy to remember.

• Take a pattern of letters from each word, such as the first letter, the first two letters (for shorter sentences), the second letter of each word, etc.

• Capitalize one or two of these letters.

• Add some numbers someplace within the letters or replace one or two of the letters with numbers or symbols.

This process creates an easier-to-remember password of around 15 characters.