Passwords are the primary key to our digital lives–providing the only barrier preventing sensitive data from being compromised in most cases. IT admins should think and act like a hacker to proactively identify weak passwords, and stay one step ahead of a data breach.
The recent breach at Gawker, and subsequent analysis of the exposed passwords, though, highlights yet again how passwords are a weak link in the security chain. Commonly used passwords, like “123456” are the digital equivalent of placing the key to your house under a door mat with a flashing sign that says “key hidden here”. The trivial security provided by weak passwords is hardly worth the effort of implementing and maintaining them.
Conventional wisdom and established best practices suggest a number of basic password rules: passwords should not be based on personal information or words found in the dictionary, they should be a certain length, have some measure of complexity, and be changed on a periodic and frequent basis.
Unfortunately, the more difficult a password is to be cracked or guessed by an attacker, the harder it is for the legitimate user to remember it as well. That leads users to write passwords down on notepads on their desk, or actively work to circumvent password policy to make passwords easier to recall and manage.
Some experts have pointed out that the standard practice of forcing passwords to be changed periodically may be misguided. A cracked password will most likely be used in the immediate future, making a policy to change it once every three months, or even once a month, a bit like shutting the barn door after the horses have escaped.
IT admins can test the effectiveness of password security by thinking like a hacker and using the tools that an attacker might use to try and crack passwords and breach sensitive data. Tools like Cain and Abel, or John the Ripper can identify passwords that represent the low hanging fruit and provide easy prey for attackers.
The results can be quite enlightening. Even with password policies that appear to follow conventional wisdom, it is often possible for users to find ways to create weak passwords. Investing the time to crack passwords provides an opportunity to educate users with weak passwords, modify password policies to prevent similar passwords, and collect hard evidence to present to management to justify password policy changes.
No password is invulnerable given enough time. But, with sufficiently strong passwords, attempts to crack them will at least take a significant period of time to crack–making it unnecessary to change them as frequently, and easier for users to manage.