Friday, February 20, 2009

The Importance of a Strong Password

I can’t emphasis enough how important creating a strong password is. Lots of people have easy to remember passwords that are just not secure.  The most notable ones are bank PIN numbers.  The difference here is you have to physically have the card to use the password, in an environment where you only have a username and password, the password is super important.  It’s quite likely that your username is right there in your email address, so the password is all that keeps those hackers out.

If you like the idea of having something “physical” that you are required to have with you, you can add these technologies to Windows Small Business Server.  Using 3rd party software, you can either take advantage of SmartCard authentication built right into Windows, or use something designed specifically for SBS, called Auth Anvil, which requires you to have a FOB with a random number on it when logging into Remote Web Workplace.

If a low cost solution is required, you can jack up the password policy requirements on your network and require users to have super strong passwords.  Below is the password policy out of the box with Windows Small Business Server 2008. 


You can change the frequency of when the password needs to change, which prevents brute force attacks (as those usually take time), and change the number of characters.  When you enable password complexity requirements, you’re forcing the following:

  1. Not containing the user’s account name or parts of the user’s full name that exceeds 2 consecutive characters
  2. Contains letters from the following:
    1. English Uppercase A-Z
    2. English Lowercase a-z
    3. Base 10 digits 0-9
    4. Non-alphabetic characters (e.g. !, $, #, %)

The trick of course is to educate your end users to remember these passwords.

Microsoft has a great article on Strong Passwords: How to Create and Use them.  Creating (and remembering) a strong password is far easier than you think.  Microsoft calls out these 5 easy steps:

  1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My son Aiden is three years old."
  2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so.
  3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: "msaityo".
  4. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden's name, or substituting the word "three" for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become "My SoN Ayd3N is 3 yeeRs old." If the computer or online system will not support a pass phrase, use the same technique on the shorter password. This might yield a password like "MsAy3yo".
  5. Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of "MySoN 8N i$ 3 yeeR$ old" or a password (using the first letter of each word) "M$8ni3y0".

If you want Microsoft to check how secure your password is, you can use the handy password checker.  I would recommend going for at least a password that indicates a Strong or Best green rating.  Weak passwords are usually compromised easily either by brute force attacks, or simply by knowing a bit about you.