The use of passwords is one of the most common forms of authentication. We use passwords for our email, our bank accounts (called Personal Identification Numbers or PINs), and when we log in to a network. Unfortunately, passwords can also be one of the more useless forms of authentication if they are not constructed properly. If your password is easy to guess, if you write it on a post-it and stick it on your computer, if you use the same password (your middle name) for every account you have, or—perhaps worst of all—if you leave your password blank, then you are simply making it that much easier for hackers to access your accounts.
The shorter the password the easier the hacker's task becomes. Furthermore, the longer someone has a password, the more likely it will be that he or she will tell someone else what it is, or that they will be able to guess it. Passwords that are not easily guessed are called "strong" passwords. A strong password is one that uses a random mixture of letters, numbers, and characters. It never is a dictionary word (even one from a foreign language) because password crackers can simply use one of countless password cracking programs that have numerous dictionaries programmed into them. A password that is contained in a dictionary can take only a few seconds before it is compromised.
Passwords are not completely secure; no form of authentication except biometrics is. The goal of a strong password is to slow attackers down. In this way, you give your security team the chance to notice attempts to crack a password and then take action. The need for strong passwords must also be balanced against user needs. If your password policy is too severe, especially if there is no perceived need for it, you will not have great success in user compliance.
With this said, administrators can make password protection sufficiently secure by following these guidelines:
- Ensure that strong passwords are used (see Pasword Creation section below).
- If using Windows, don't use Windows NT. Use Windows 2000 or XP. Windows NT does not encrypt its master password file (SAM). Anyone obtaining access to the file or anyone with administrative privileges can obtain code called "password hashes" and then reveal all passwords in a system.
- Ensure password transmission is encrypted. With focus on security, almost all systems use some form of password encryption. Even if someone gains physical access to your network and obtains the data you send back and forth, it is unlikely they will be able to reveal your password. It would take a very knowledgeable and savvy hacker to compromise an encrypted password. websites and email systems are often set up, by default, to use clear text passwords. email websites such as Yahoo and HotMail provide the option to encrypt your password when logging on.
- Ensure that a user is locked out of the system after entering an incorrect password 4 or 5 times. This will prevent hackers from running programs that try to guess passwords. Users can be locked out for a period of time or until an administrator re-enables the locked out account.
Your library or organization should consider adopting the following rules for network passwords:
- Passwords may not be blank
- Passwords must be seven or more characters long
- Passwords must use a mixture of letters (upper and lower case), numbers and characters
- Passwords must be changed on a regular basis
- Passwords must be successively unique (in other words, users shouldn't use the same password repeatedly)
- Passwords must never be written down or posted in an insecure location (such as on a monitor)
In addition, consider adding these prohibitions:
- Passwords cannot be the user's name, the name of someone in their family, or their birth date
- Passwords must not be constructed by adding a numeral or character to the beginning or end of a regular word; this is too easily guessed (e.g."chair1")
Give your users tips on how to construct strong passwords. For instance, have them think of a phrase and use the first letters of it. Using this technique, the phrase "the rain in Spain stays mainly on the plain" would become the password "trisSmotp." To make it even stronger, substitutions could be made to create the password "Tr1$Sm0tp." For more on creating strong passwords, see Password Usage, a Federal Information Processing Standard issued by NIST (National Institute of Standards and Technology), and Configure Computers for User Authentication by CERT.
If your library's policies allow it, IT or system managers can generate passwords for staff. There are many excellent password generation programs, such as KeyMaker. You can also try Password Apps for a list of Windows-based tools. Also consider checking your users' passwords periodically by using a password cracking tool such as Crack, which is available from CERT. Remember, if you use password cracking programs on your users you should inform them of this in your Security Policy.
Next: Smart Cards