Help users create complex passwords that are easy to remember

by Michael "Mullins CCNA, MCP" | Jan 19, 2006 8:40:00 PM

Tags: Michael Mullins CCNA, MCP, password, password policy, Security Solutions Newsletter

Takeaway: Passwords are only as good as the policy that enforces their use. That's why it's imperative that organizations employ a written password policy—and that they take steps to enforce it. In this edition of Security Solutions, Mike Mullins discusses how to create an effective password policy, and he offers a trick to share with users for creating strong, complex passwords.

While most end users understand the importance of using passwords to secure corporate systems and data, they don't always know how to create a strong password. That's why it's just as important to create a strong password policy in your organization. Remember: Passwords are only as good as the policy that enforces their use.

By default, Windows disables the password filter in the Default Domain Group Policy Object (GPO) and in the local security policy of workstations and servers. That's one more reason why it's imperative that organizations employ a written password policy—and that they take steps to enforce it.

For example, if your company's password policy only requires a minimum of six characters and doesn't require complexity (i.e., a combination of uppercase and lowercase characters, digits, and/or nonalphanumeric characters), then you've got a pretty weak policy. That means most users will use passwords that are easy to crack through either brute force or social engineering.

How do you make sure your users create strong passwords that hackers can't easily guess? Your first step is to enable the password filter in the GPO or on local stand-alone workstations and servers. To find the password filter, go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy in the Group Policy MMC in the Default Domain policy. After enabling the password filter, you can start creating an effective password policy for your users.

Craft a strong password policy

Let's look at some best practices for effective password policies. Most organizations require users' passwords to have a minimum of eight characters. They also specify that passwords must meet at least three of the four complexity requirements—uppercase letters, lowercase letters, numbers, and nonalphanumeric characters.

Organizations should also configure the password history to remember the last 24 passwords, which is the maximum setting. This virtually ensures that users won't reuse passwords.

In addition, you should set the minimum and maximum age of the password to an appropriate level. I recommend setting a maximum age of 180 days and a minimum age of 90 days. This prevent users from cycling through passwords until they can return to the one they want.

Put your policy in action—and enforce it

It's smart to establish a good password policy in your organization, but it's even more important to actually enforce it. A strong policy that no one has to follow doesn't add any more security than no policy at all.

In addition, it's important to remember that a good password policy doesn't work if users have to write down their password because it's so complex. That only transfers the security risk instead of mitigating it.

So how can you make sure users' passwords are complicated enough to deter hackers and easier enough to remember? One of my colleagues offers the following trick for creating complex passwords that meet complexity requirements while still being possible to remember.

Step 1: Come up with a base word
Pick the name of a pet or any common thing that's easy to remember. For example, say you once lived in Louisville. You can use that to establish the base of your password and satisfy the required criteria for a strong password.

Remember: You need at least one capital letter and either a number or special character. So, using Louisville as your base word, you can substitute an ! or 1 for i and replace the s with $—e.g., Lou1$ville or L0u!$ville.

Step 2: Add more characters to the base word
Pick any four characters to add to the base word.

Step 3: Store your password without worry
Now, write down the added four characters, along with a clue for the base word. Using our previous example, you would write down city1xyza, where city1 signifies Louisville with a 1 and $ and xyza represents the four additional characters.

So, even written down, this password reference would serve as a reminder of your complete password while revealing nothing to any roaming eyes. (Keep in mind that this example is a 14-character password. While that may be longer than the actual requirement, it may be easier to remember.)

Final thoughts

Password policies only work if you turn them on. Make sure you've trained your users on how to create complex passwords that they can remember without leaving a paper trail that prying eyes can easily follow.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

77 comment(s)