• Making them hard to guess,
• Never writing them down,
• Limiting the scope of passwords, and
• Limiting the ability of an attacker to make repeated guesses.

Password Complexity

A recent study on password memorability and security uncovered two surprising results:

• The most important factor in the security of passwords is consistency—implementing technical controls to enforce password quality.
• So-called “passphrase” passwords are equal in quality to completely random passwords, yet are no more difficult to remember than any other user-chosen password.

Good passwords (those that are least vulnerable to password cracking attacks) utilize the full spectrum of allowable characters (Capital and lower case letters, numbers and symbols) and are long enough to force password crackers to use their slowest “brute force” technique.

Memorable Passwords

“Passphrase” passwords meet both of these requirements. To create one, just choose a memorable sentence and make it your password. Windows considers the space character to be a special character, so setting your password to “I love the Buckeyes!” meets the Windows password complexity requirement, gives you a password 20 characters long, and declares your allegiance just as well as “goBUCKS!” without falling to a password cracker in the first two seconds.

If your computer system limits you to relatively short passwords (say, 8 or 10 characters), or if you are a two-finger typist, take a simple sentence, assemble the first letters from each word in the sentence (as with an acronym), including appropriate capitalization and punctuation, then modify the new password slightly using numbers or special characters. For example, the phrase, “Obama declares nuclear war; details at 11” might be entered as “Odnw;d@11” which looks like a random password, yet is easy to remember. Similarly, the phrase, “It’s noon and I am hungry” could be typed in as “It’s12&Iah.” Unlike random passwords, passwords of this style are not any harder to memorize than shorter ones.

Length is Key

The power tools used by the bad guys can make quick work of password hash files these days, but choosing a password at least 15 or 16 characters long can move the advantage back to your side.

Rainbow tables can crack any password hash up to the length limit of the table in a very short time. Since these tables grow exponentially large with the password length, there are probably few or no existing rainbow tables (yet!) for passwords longer than 15 or 16 characters.

Additionally, traditional Windows password crackers such as John the Ripper typically only crack the LAN Manager hash, a relatively insecure password storage method that can only handle passwords 14 characters long or shorter. Choosing a 15-character password forces the hacker to resort to the more esoteric and less computationally efficient NTLM (MD4) password hash algorithm. Knowing this, you can make the bad guy’s job a whole lot harder by not storing the LAN manager hash of your password in the first place.

Password Scope and Availability

Even with an excellent password, however, an attacker can still break in if he has the opportunity (and patience) to make a hundred billion guesses at your password. It is also critically important to:

1. Limit the number of failed password attempts, or at least limit the rate, and
2. Log repeated failures so that action can be taken.

Similarly, choosing excellent passwords has little value if you use the same password for your business VPN and your Facebook or Amazon account. A hacker who manages to gain access to all of Amazon’s account holders is very quickly going to see if the user foxk@lithik.com with the password H@rd2gess has VPN access to lithik.com with username foxk and the same password. This type of attack is easily automated across thousands of stolen passwords.