Passwords demonstrate the authentication attribute "something the subject knows" and can be used to authenticate an authorized user to network resources. Passwords correlate an authorized user with network resources.
Passwords can be a problem in secure environments because users try to do what is easiest for them. Password policies and procedures must be created and enforced if password authentication is used as a credible security measure. These password policies and procedures should specify the use of strong, nondictionary passwords that are changed often. They should clearly state that passwords should never be shared and never posted where they can be easily found (such as on a monitor or wall or hidden under a keyboard).
A dictionary attack is when a hacker tries to guess a user's password (to gain network access) by using every "word" in a dictionary of common passwords or possible combinations of passwords. A dictionary attack relies on the fact that a password is often a common word, name, or concatenation of words or names with a minor modification such as a trailing digit or two.
Instructing users to select strong passwords is one of the most effective means to mitigate the possibility of a successful dictionary attack. On a Windows host, it is possible to implement password complexity rules to force users to choose strong passwords, which are more difficult for hackers to determine. Some characteristics of a strong password include the following:
■ It is a minimum of ten characters
■ It is a mixture of uppercase and lowercase letters
■ It contains at least one numeric character (0-9) or nonalphanumeric character (for example, !#@&)
■ It has at least one special character within the password—not at the beginning or end
■ It is a word that is not found in a dictionary (domestic or foreign)
The following are two examples of strong passwords and how they were derived (and therefore how they can be remembered):
■ 4yosc10cP!, from "For your own safety, choose ten-character password!"
■ cnw84Fri*YAD, from "Cannot wait for Friday."
The information in this sidebar was derived from http://www.cisco.com/en/US/products/hw/ wireless/ps430/prod_bulletin09186a00801cc901.html.
Was this article helpful?