By James Hanback
I know. I know. You've heard it a jillion times. Every time an activist, prankster, or malicious attacker breaks into a high-profile system, the public is treated to a litany of (sometimes conflicting) advice about steps the victim could have taken that would have prevented it from happening. Most recently, a Montana television station hit the news after someone apparently guessed the password to the station's Emergency Alert System (EAS) device and managed to broadcast an alert that might remind horror movies buffs of a scene from the old George Romero film Night of the Living Dead. "Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living," the prankster stated over the air.
Turns out, the Montana station had never changed the default password on its EAS system. Therefore, the prankster was able to simply guess the correct password to gain entry to the system and broadcast the zombie attack alert. Although in this case no harm appears to have been done, fictional emergency alerts have caused panic among the population in the past. The Halloween 1938 Orson Welles radio broadcast of H. G. Wells' The War of the Worlds is perhaps the most famous example of panic caused by a fictional emergency. Moreover, Mashable.com reported that the Montana station's manager is concerned that similar attacks on an EAS system could result in widespread panic over reports of more realistic sounding threats, such as a terrorist attack.
Passwords and personal identification numbers (PINs) are used everywhere for access to just about everything these days. So prevalent have concerns about password security become that both CompTIA and Cisco devote entire domains of otherwise non-security-related certification exams to the subject of security. Even so, outside of IT circles there seems to be a general disinterest in creating strong passwords because they can be both difficult to remember and inconvenient to the user. Therefore, it is typically up to IT professionals to educate and, if necessary, enforce the use of strong passwords.
Changing a default password is always a good first step in securing any device that you intend to connect to a network because default passwords are both easily guessed and easily obtainable from lists published on the Internet. However, it is of equal importance to ensure that the new password is a strong password, which is to say that it is not easily guessed and is as resistant as it can be to brute-force cracking and other methods used by password cracking tools.
So what constitutes a strong password?
Alas, expert opinions vary. However, there are some general rules that seem to have become common advice. For example, the online documentation for some Cisco products defines a strong password as having all of the following characteristics:
- At least eight characters
- Few consecutive characters, such as "abcd" or "1234"
- Few repeating characters
- No dictionary words
- No proper names
- Both uppercase and lowercase letters
- Numbers
Microsoft recommends similar characteristics but adds that you should include punctuation and symbols along with letters and numbers.
The relative strength of a password can also depend on what the particular device, system, or account you are securing accepts as input for the password field. For example, you won't be able to create a strong password that contains the dollar sign ($) or at (@) symbols if the password input field accepts only letters and numbers. Similarly, if the password field limits you to seven or fewer characters, you won't be able to create a password of eight characters or more.
Further ensuring that you'll want to tear out your hair is the sheer volume of online accounts, device accounts, and corporate network accounts that the average user maintains these days. No matter how strong your password is, you potentially weaken it every time you use it to secure more than one of your many, many accounts. For example, if you have one password that you use for both an online banking account and an online marketplace or social networking account, an attacker who compromises the passwords that are stored at the online marketplace or social network might then be able to also gain access your online banking account. Now you not only need a strong password. You need multiple strong passwords.
Oh, and then there's that old chestnut about not writing down your passwords (especially if your habit is to memorize your life details by creating Post-It notes that you end up sticking to your monitor). Not documenting your passwords is still good advice if you can manage to remember all those strings of nonsensical characters and to which account they belong. If you must write down your passwords, it is of utmost importance that you keep them in a safe place that is not publicly viewable and, preferably, not publicly accessible.
Both Microsoft and the Official (ISC)2 Guide to the CISSP CBK Second Edition, which is a study aid that Certified Information Systems Security Professional (CISSP) candidates use to prepare for that particular Internet Security Consortium (ISC)2 exam, contains some advice for creating and remembering strong passwords. It recommends using a sentence, known as a passphrase, as a tool for creating strong passwords. Passphrases are typically longer than regular passwords, easier to remember, and more resistant to attack. For example, you could use the passphrase "They're coming to get you, Barbara!" to create a strong password by typing the first letters of each word of the sentence combined with its punctuation to form the password "T'ctgy,B!". The resulting password just happens to technically meet all the Microsoft recommendations for creating a strong password except the use of numbers. Therefore, "T'ctgy,B!" is a relatively strong password. Actually using "T'ctgy,B!" as your password is probably not a good idea now because I just documented it as an example, but you get the concept.
So, now that you finally have a series of strong passwords that you can remember, what must you do next? At the risk of injuring your forehead as the palm of your hand flies upward to smack it, I'll tell you. Change them. Change them regularly. Even the strongest passwords can be compromised, by attack or by accident. A strong password that is regularly replaced by a different strong password diminishes the risk of compromise by essentially creating a moving target. The more often you change your password, the less likely it is that a previously compromised password will allow an unauthorized individual to access your devices, systems, or accounts.
Now that we've established enough anxiety to keep you awake nights for years to come, let me point out one other issue you should think about when creating strong passwords. Strong passwords alone will not keep your devices or accounts safe from compromise. In fact, Mashable.com reported in that same story about the compromised EAS system that the particular system used by the Montana television station has other vulnerabilities that could have been exploited to gain access, even if the station had changed the default password.
In the end, a strong password does offer a good first line of defense against password guessing and brute-force attacks. They're sort of like all that furniture and those two-by-fours that Ben and company nailed across the doors and windows of the little farmhouse in Night of the Living Dead. They keep the zombies out for a while, but they will never entirely stop the forward momentum of the undead being driven by their cravings for the meaty flesh of your brain.
And they won't hold up forever.
Interested in IT certification? Try our free practice exam demos.
War of the Worlds Photo: Marcin Wichary
Zombie Photo: Eric Ingrum