GeodSoft logo   GeodSoft

Ten Practical Security Steps

2. Use good passwords with procedures and policies applicable to your site.

The use of good passwords is one of the most important security practices in today's networked computer world. It's important to recognize the differences between ordinary, unprivileged user accounts and their passwords and administrative accounts and their passwords. It's preferable that all accounts use good passwords, though user passwords may not need to be "as good" as administrator passwords. This may not be practical in some organizations. IT should try to get management support for formal security policies and procedures including the appropriate user training starting with new employee orientation. Without this necessary management support, IT should move on to what it can do with passwords.

IT management and staff need to agree that all their passwords for adminstrative accounts as well as their own personal accounts will be strong, meaning every password will contain at least two of the following three: 1) mixed case letters, 2) at least one digit and 3) at least one symbol or punctuation character. The number of possible passwords from 7 to 10 characters with mixed case, digits and special characters is enormous (> 5*10^20 if all keyboard possibilities are included). Attempts to log onto a system or su where such passwords are used, would generate logs (allow 25 bytes per entry) that fill existing hard disks (allow 100GB) before a millionth of a percent of the possibilities were tried. It staff should select passwords with 9 or 10 characters for maximum strength.

Nothing in the preceeding paragraph is true when applied to Windows NT or 2000. Due to backwards compatibility issues with LANMAN password hashes, Windows NT and 2000 password strorage is seriously flawed. This page describes the problem and explains in detail how strong passwords can be created on NT and 2000 that partially compensenate for the poor encryption used by Windows NT and 2000 for storing passwords.

Even where the previous recommendation is followed, people choose passwords that contain obvious pieces greatly reducing the possibilities. The letter sequences in these passwords should not be the most obvious three and four letter dictionary words nor should parts of obvious personal information such as birth dates be part of these passwords. On the other hand, completely random character sequences from the entire typeable character set, cannot be remembered. Use of an automated configurable password generator is recommended. Configurable means the ability to apply some structure or patterns to the passwords that aid memory but still avoid having people pick from obvious bits and pieces. The patterns and algorithms used at a site should be kept confidential.

Administrative accounts should be different on every system or NT Domain. Staff and management should discuss the trade offs and decide whether personal accounts of IT staff should be allowed the same password on all systems or whether these should also be different on all systems. Staff should not share their personal passwords. All administrative passwords should change whenever there is administrative staff turnover and staff and management should agree on what is an appropriate interval for routine user and administrative password changes.

IT staff and management should discuss the best ways to protect their passwords. This includes both ensuring that they do not fall into the wrong hands and that they are available to authorized administrative staff when needed. I suggest next what I think is appropriate but every site is somewhat unique. IT staff and management should agree on password procedures and policies and then document them.

Personal passwords should be allowed to be the same on all systems but should never be written down. The administrative passwords for these systems should be written on small pieces of paper that are kept in each staff person's purse or wallet and never publicly exposed. Each person should get passwords for only those systems for which they have administrative responsibility. All administrative passwords should be changed at the same time. All passwords should be changed if any purse or wallet is lost, stolen or believed to have been compromised. Systems should be identified by a simple number or other identifier (physical description or location) known only to staff and not by host name or IP address. I regard purses and wallets as one of the most secure locations available in most businesses. Other methods of protecting the passwords may be considered but passwords should not be stored electronically on any computer or in any non secured physical location.

Having IT staff use good passwords is one place where a significant security gain can be had at almost no cost. The only costs are the few hours up-front to decide on the policies and document them. Afterwards, there is only a few additional seconds each time a new password is used until it's fixed in memory. There is a larger cost for sites that previously did not change passwords but the security gains are even larger. Time will be a bit more but the security gain will be great. Unchanging, weak passwords may be most frequent cause of compromised systems.

Other pages on this site also deal with passwords. The large, Good and Bad Password How-to section deals with nearly every aspect of good and bad passwords, cracking passwords, password security, management and Windows specific password weaknesses. It includes the Password Management page that is closely related to this one. is an automated password generator that creates strong passwords and is highly configurable.

Password Evaluator examines passwords and reports on potential vulnerabilities to dictionary cracking methods and if no vulnerabilities are found, rates a password's relative strength. See what is tells you about passwords you've used or obtained from You may be surprised. Keyboard shifted, rotated and reversed words can be very hard to spot but are trivial for dictionary based cracking tools.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
How-To >
10 Security Steps >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.