ProblemShort, guessable passwords represent a serious security risk to your servers and the services that run on them. You want a reliable system for creating sufficiently strong passwords or passphrases, and a way to manage them. SolutionGenerating strong passwords or passphrases is one of the most important things you can do to protect your servers and data. Here are some basic properties of a good passphrase:
To generate sufficiently strong passphrases you can use the Diceware method, which selects components of a passphrase randomly using dice. Here's how it works:
Notice that this command produces a passphrase that is 23 characters long, yet easy to remember. You can repeat this process for all the various systems that need strong passwords. The point of them being easily memorized is to keep you from ever writing them down. However, most developers have dozens of passwords to keep track of. This reality forces people to use the same password for many systems or write down the passwords for each system. One solution is to use a password managing program that stores and organizes all your passwords in an encrypted format. These programs require a single master password for access, and often allow you to organize usernames and passwords into groups. An excellent example of these programs is KeePass (Windows) or KeePassX (a cross-platform port of KeePass). Figure 11-1 shows how KeePassX can help you manage a large amount of authentication information in one secure place. Figure 11-1. The KeePassX password managerIf you choose to use a password manager, the strength of the master password is critical to the security all of the systems that you store information about. Extra care should be taken to keep this password safe. Also, you should always make backups of the database used by your password manager in case of disk failure or data loss. DiscussionA passphrase is similar to a password in usage, but is generally longer for added security. A natural tendency is to choose passwords that are short and therefore easy to remember and use. Many people just don't realize how advanced password cracking software has become, and how easily modern computers can crack short passwords by brute force. The solution describes a system for choosing long yet memorable passphrases that will go a long way toward making your servers, services, and applications more secure. Password strength can have different meanings depending on the context of the situation in which the password is being used. One factor in gauging a password's strength is the length of time a hacker has in which to crack the password before the information being hidden no longer needs securing. It doesn't matter if a password is cracked after the data it protects has ceased to be valuable. Another factor is the importance of the information being protected by the password. A database containing hundreds of thousands of credit card numbers is worth a lot of money, and someone who wants to steal those numbers will be willing to go to great lengths. Systems that access valuable data like this need very strong passwords, as well as other protections. On the other hand, a WEP password protecting your home wireless network may not be worth a serious password-cracking effort. See Also
|