Ten Practical Security Steps
2. Use good passwords with procedures and policies applicable
to your site.
The use of good passwords is one of the most important security
practices in today's networked computer world. It's important to
recognize the differences between ordinary, unprivileged user accounts
and their passwords and administrative accounts and their passwords.
It's preferable that all accounts use good passwords, though user
passwords may not need to be "as good" as administrator passwords.
This may not be practical in some organizations. IT should try to get
management support for formal security policies and procedures
including the appropriate user training starting with new employee
orientation. Without this necessary management support, IT should move
on to what it can do with passwords.
IT management and staff need to agree that all their passwords
for adminstrative accounts as well as their own personal accounts
will be strong, meaning every password will contain at least two
of the following three: 1) mixed case letters, 2) at least one
digit and 3) at least one symbol or punctuation character. The
number of possible passwords from 7 to 10 characters with mixed
case, digits and special characters is enormous (> 5*10^20 if all
keyboard possibilities are included). Attempts to log onto a
system or su where such passwords are used, would generate logs
(allow 25 bytes per entry) that fill existing hard disks (allow
100GB) before a millionth of a percent of the possibilities were
tried. It staff should select passwords with 9 or 10 characters
for maximum strength.
Nothing in the preceeding paragraph is true when applied to
Windows NT or 2000. Due to backwards compatibility issues with
LANMAN password hashes,
Windows NT and
2000 password strorage is seriously flawed. This page describes
the problem and explains in detail how strong passwords can be created
on NT and 2000 that partially compensenate for the poor encryption
used by Windows NT and 2000 for storing passwords.
Even where the previous recommendation is followed, people choose
passwords that contain obvious pieces greatly reducing the
possibilities. The letter sequences in these passwords should not be
the most obvious three and four letter dictionary words nor should
parts of obvious personal information such as birth dates be part of
these passwords. On the other hand, completely random character
sequences from the entire typeable character set, cannot be remembered.
Use of an automated configurable password generator is recommended.
Configurable means the ability to apply some structure or patterns to
the passwords that aid memory but still avoid having people pick from
obvious bits and pieces. The patterns and algorithms used at a site
should be kept confidential.
Administrative accounts should be different on every system or NT
Domain. Staff and management should discuss the trade offs and decide
whether personal accounts of IT staff should be allowed the same
password on all systems or whether these should also be different on
all systems. Staff should not share their personal passwords. All
administrative passwords should change whenever there is
administrative staff turnover and staff and management should agree on
what is an appropriate interval for routine user and administrative
IT staff and management should discuss the best ways to protect their
passwords. This includes both ensuring that they do not fall into the
wrong hands and that they are available to authorized administrative
staff when needed. I suggest next what I think is appropriate but every
site is somewhat unique. IT staff and management should agree on
password procedures and policies and then document them.
Personal passwords should be allowed to be the same on all systems but
should never be written down. The administrative passwords for these
systems should be written on small pieces of paper that are kept in
each staff person's purse or wallet and never publicly exposed. Each
person should get passwords for only those systems for which they have
administrative responsibility. All administrative passwords should
be changed at the same time. All passwords should be changed if any
purse or wallet is lost, stolen or believed to have been compromised.
Systems should be identified by a simple number or other identifier
(physical description or location) known only to staff and not by host
name or IP address. I regard purses and wallets as one of the most
secure locations available in most businesses. Other methods of
protecting the passwords may be considered but passwords should not be
stored electronically on any computer or in any non secured physical
Having IT staff use good passwords is one place where a significant
security gain can be had at almost no cost. The only costs are the
few hours up-front to decide on the policies and document them.
Afterwards, there is only a few additional seconds each time a new
password is used until it's fixed in memory. There is a larger cost
for sites that previously did not change passwords but the security
gains are even larger. Time will be a bit more but the security gain
will be great. Unchanging, weak passwords may be most frequent cause
of compromised systems.
Other pages on this site also deal with passwords. The large,
Good and Bad Password How-to
section deals with nearly every aspect of good and bad
passwords, cracking passwords, password security, management and
Windows specific password weaknesses. It includes the
Management page that is closely related to this one.
Password.pl is an automated
password generator that creates strong passwords and is highly
Password Evaluator examines
passwords and reports on potential vulnerabilities to dictionary
cracking methods and if no vulnerabilities are found, rates a
password's relative strength. See what is tells you about
passwords you've used or obtained from password.pl. You may
be surprised. Keyboard shifted, rotated and reversed words
can be very hard to spot but are trivial for dictionary based
Top of Page -
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is