Appendix B -- Strong Passwords

Previous page
Table of content
Next page
[Previous] [Next]

Appendix B

Strong Passwords

Strong passwords make for more secure environments. Even the most secure system will break if the weakest link is an easy-to-guess administrator password. Following the rules in this appendix will help make your system more secure.

Brute-Force Attacks and Dictionary-Based Attacks

Passwords are susceptible to brute-force and dictionary attacks. The former is when an attacker attempts every single valid password. This can be extremely time-consuming, but given enough time the attacker will determine the password. Dictionary attacks are more clever. Rather than trying every possible password, an attacker tries words in a dictionary, hoping that the user has chosen a poor password based on a common word.

The recommendations in this appendix will substantially increase the time required for a brute-force attack to succeed and will render dictionary attacks harmless. If you follow these recommendations, the chances are good that you will have changed your password many times over by the time the attacker determines what the password is (was)!

We recommend that you follow these rules regarding passwords:

  • Enforce password policy through Group Policy and/or Local Policy.

  • Enforce a reasonable account lockout policy to defeat brute-force or dictionary attacks. For example, you might decide that an account is locked out for 15 minutes after five invalid password attempts.

  • Passwords should be at least seven characters long.

  • Passwords should contain characters from all four of the classes described in Table B-1.

  • At least one character between the second and sixth positions should be a symbol. This helps defeat some password-guessing programs.

  • The password should be appreciably different from previous passwords.

  • The password should not contain your name, a derivative of your name, or any common word.

  • Never share the password with anyone.

  • Do not write the password down.

  • Change the password if you suspect the password has been compromised.

  • Do not enable any functionality to save a password.

Table B-1. Classes of characters for use in passwords.

Class Description Example
Uppercase letters Uppercase roman letters A-Z
Lowercase letters Lowercase roman letters a-z
Numbers All valid Arabic numerals 0-9
Symbols All other characters not already defined !@#$%^&*()_+=-<.,.?/'~'";:[]{}\|

Previous page
Table of content
Next page
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Metrics and Models in Software Quality Engineering (2nd Edition)
Managing Enterprise Systems with the Windows Script Host
C & Data Structures (Charles River Media Computer Engineering)
GO! with Microsoft Office 2003 Brief (2nd Edition)
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy