subject: Creating A Security Awareness Plan - Creating Secure Passwords [print this page] Creating A Security Awareness Plan - Creating Secure Passwords
Intrinsec End-User Tutorial Series: Creating a Secure Password
Note: This series of papers discusses topics relevant to end-users and those that implement Security Awareness Training programs. In this paper, we discuss methods to create very strong random passwords for users.
The Problem
Passwords remain the weak link in security. Basically, passwords act as a temporary barrier to someone else claiming to be you. There are two major issues with passwords on the Internet, and at your workplace.
Issue 1: Passwords can be cracked. If an attacker can download the password database of a web server for which you have registered, chances are highly likely your password will be known and published online.
Issue 2: Quite often, people use the same password for many, if not all web sites they visit.
End Result? The hacking of a website used by your employees can wind up weakening your security program within the enterprise.
The Solution
The solution to password security is that you and your employees MUST use different passwords on all sites they use. Now, this causes an issue in that people often forget often used passwords, yet alone multiple often non used passwords.
To this end, a user can use the "salting" principle when creating passwords. How is this done? Well, you can use a standard password across the board and alter it slightly based on the website that you are using. Take the following example:
Site to visit: www.intrinsec.ca
Standard Password: L3tM3In?!? (LetMeIn with the "e" replaced with a "3", and then special characters)
Number of characters in domain name (without the www. or .ca) = 9. Take away 1 to come up with 8.
First vowel in domain name: i
Unique Password for Intrinsec.ca: L3t8M3iIn?!?
See what happened there? I took my "standard" password and then "salted" (or injected) unique characters based on the unique name of the site to come up with a non-reusable password that is very strong. This password is basically impossible to guess without having multiple samples to guess the "salting" process and it would take a password cracking program quite a while to break as it uses upper and lower case letters, numbers and special characters.
By teaching your end-users this technique, you should have a much more secure workforce using random secure passwords in both your environment and the internet as a whole.
