As the CEO of a company that specializes in securing the privileged account passwords that control access to an organization’s confidential data, I field a lot of questions about passwords. What makes a suitably strong password? Why have so many passwords been so easy to crack? And, is real password security even possible?
So here’s a primer on passwords, how to effectively secure them, and what alternatives to passwords – if any – exist.
Think of a password as a secret shared between you and the computer. At the time when a user account is created, someone (either you or an IT administrator where you work) inputs the password into the operating system, and the typed-in password is converted into a unique long number known as a hash.
The purpose of a hash is to destroy the information needed to reconstruct the password. A computer can use the hash to efficiently verify the password, but it should be difficult for anyone to figure out the password based on the hash alone.
Cracking passwords is difficult, but not impossible. While the hash does destroy the information needed to reconstruct a password, password cracker tools exist which can take large numbers of words, generate the corresponding hashes, and compare these to the hash value stored on your system.
These password crackers use techniques known as dictionary attacks that supply files containing hashes for common terms in major languages, or brute force attacks, where every possible character is tried. Many programs use a combination of dictionary and brute force attacks by appending a number to each word or by replacing characters (i.e. change E to 3, T to 7, etc.).
Crackers also make use of common password lists. Since many users tend to rely on a lot of the same passwords (“123456”, “qwerty” and, of course, “password”) cracker programs are typically successful in cracking passwords that use these weak words or phrases.
The Unbreakable Password
So, if you want to defend against today’s cracker tools, is there such a thing as unbreakable passwords? As a matter of fact, yes there is, and it’s actually easy to create them.
Passwords that are not in a dictionary, with a length of more than 14 characters that include uppercase and lowercase letters, numbers, and punctuation are normally secure. Unfortunately, these complex passwords can be difficult to remember. Sometimes users resort to writing them down on sticky notes and pasting them to the front of their monitors. So much for security.
Password Management Software
Rather than creating their own passwords, some people opt for software that automates the process. There are some good tools that do this, but in some ways creating your own passwords using long phrases is superior to randomly generated passwords, as long as you can create a unique phrase that only you understand (i.e. no common lines from movies such as “I’ll be back”). If you don’t want to be creative and absolutely must have the shortest secure password, then a password generator could be a good idea.
Local devices, like vaults, offer another convenient way to store passwords and, in some cases, automatically type passwords for the many different systems you may use. Another option is to use a cloud service to store your passwords.
Of course the first bit of advice I’d offer is to backup your passwords in case you lose your hardware storage system or your cloud-based supplier goes out of business. You should also consider how much you trust a cloud provider with your passwords, and you should weigh the possibility that someone could compromise your cloud account and access your passwords.
Commercial, locally hosted solutions can automatically generate, store and retrieve those passwords that fall outside the control of an organization’s identity access management (IAM) systems. These solutions, known as privileged identity management, provide unique credentials for each privileged account in the organization for one time, temporary use. The generated passwords can be up to 127 characters long – containing letters, numbers, and punctuation – so they are practically uncrackable by any technology.
Today there is no realistic alternative to passwords because almost every application and operating system uses them. Options do exist – such as smartcards, biometrics, tokens, fobs, and a host of devices that plug in, scan you, or are accessed wirelessly. None of these are widely used as a de facto standard, though some of these technologies are a lot of fun to play with.
So for now, at least, it appears that passwords are our best method for secure system access. But it would be wise to remember the old adage, “you’re only as secure as your weakest link”. Or perhaps your weakest password.