Creating Strong Passwords

590
Chapter 13 
■
Managing Identity and Authentication
Password Complexity
The complexity of a password refers to how many character types it 
includes. An eight-character password using uppercase characters, lowercase characters, symbols, 
and numbers is much stronger than an eight-character password using only numbers. National 
Institute of Standards and Technology (NIST) special publication (SP) 800-63B, “Digital Identity 
Guidelines,” states that authentication systems should support the use of any printable American 
Standard Code for Information Interchange (ASCII) characters and the space character.
Password Length
The length is the number of characters in the password. Shorter pass-
words are easier to crack. As an example, a password cracker application running on a 
single computer can discover a complex five-character password in less than a second but 
it takes thousands of years to crack a complex 12-character password. Of course, different 
computers have different computing power, and it’s possible to create multiple computers
in a parallel processing system that can crack passwords much quicker. However, the point 
is that longer passwords are harder to crack than shorter passwords. NIST SP 800-63B 
states that passwords should be at least eight characters long, and systems should support 
passwords as long as 64 characters. Many organizations require privileged account pass-
words to be longer, such as at least 15 characters long.
Password length and Complexity recommendations
Passwords should be long, and the longer they are, the harder they are to discover. How-
ever, how long should a password be? It depends on who you ask. NIST SP 800-63B says 
that passwords should be at least eight characters long and support the use of any print-
able ASCII characters, and systems should support passwords of at least 64 characters 
long. It also recommends hashing the password using random salts of at least 32 bits in 
length and storing the salted hash of the password.
How long should passwords for privileged accounts be? That also depends on who you 
ask. NIST SP 800-63B indicates that if an account needs stronger protection, an additional 
authentication factor, such as a smart card (described later in this chapter), should be 
added. That’s not always possible, so many organizations choose to require privileged 
accounts to use longer passwords of 14 or 15 characters.

Download 19,3 Mb.

Do'stlaringiz bilan baham: