Password security

[BobB]

We are in the process of upgrading computer hardware, software and the operational processes involved. Some of the new computers and/or their installed software are rating the various user identifications and the associated passwords.

We are experiencing many varied password rating from medium to strong but the available data does not form any patently available pattern to suggest a logical rating method.

Any geek (or suitable intelligent person) know the logic generally adopted ?

[EddieA]

Ok an amateur but I use the following:-

At least 8 characters, with a mixture of Upper/lower case letters plus an number or two and a symbol (£, &, %) etc.     

[Pengi]

This link might help:

http://www.passwordmeter.com/

[Calnefoxile]

Ok an amateur but I use the following:-

At least 8 characters, with a mixture of Upper/lower case letters plus an number or two and a symbol (£, &, %) etc.   

To be honest, that is pretty much the 'norm' from within the IT industry.

Speaking as a member of the IT Industry 

Cheers

Neal.

P.S. To be really secure, it should be changed every month and not by adding a 1 then 2 then 3 etc. to the end.

[scotsoft]

I find a simple phrase like "fiftytwo52weeks1year" gets a fairly strong rating where sites have that facility and the password can be tailored to something memorable/ personal so easy to remember.

[tim-pelican]

P.S. To be really secure, it should be changed every month and not by adding a 1 then 2 then 3 etc. to the end.

Actually, this is mostly counter-productive.  Most people cannot remember a new password that meets the secure template every month, especially once they have to be doing the same thing for six or ten or twenty different systems.  They will do one of:

-The 'password increment' routine you describe above
-Write the password down

Much better, in majority of cases, to have strong passwords that change less frequently than a rolling set of weak passwords.

In any case, all frequent changes do (beyond keeping auditors happy, and "security compliance" is a whole nother rant!) is reduce the attack surface for the particular case where an attacker is purely time-bound, e.g. they have the encrypted password file and can take it away for six months to brute-force it, then break in once with the correct credentials.  Someone continuously logging in with incorrect details should flag alarms bells a long time before they manage to brute-force.

[EtchedPixels]

Actually, this is mostly counter-productive. 

And the research backs that up. Good security systems are usually two factor systems, such as physical possession of a smart card and knowing the password.

Serious systems are also oriented around "When the system gets broken into", not "how do I stop it". That means intrusion detection, spotting strange attempts to send data outbound, MLS content labelling and the like. Given so much abuse is intentionally performed by employees that tends to make a lot of sense.

[Mustermark]

This link might help:

http://www.passwordmeter.com/

Th4t'S a Co01 l!nK p3nDy.

I can see myself messing for hours to find the shortest, easiest character sequence to give me 100%.

[EtchedPixels]

Better hope whoever runs it doesnt log the data, and given its http not https nobody is listening in to your wireless network

[Pengi]

Good point EP, must say I have only used it to develop a strong password - and than changed some, or all, of the characters afterwards.

[Mustermark]

Better hope whoever runs it doesnt log the data, and given its http not https nobody is listening in to your wireless network

I thought that too.