Passwords are the most common method (along with user accounts) for authenticating a person in order to identify them as someone allowed access to the system and company network. This is especially true within networks where multiple platforms exist (such as Windows, Linux and Apple iOS) because not all systems support more advanced authentication devices. Password complexity offers a very simple method of identification by requiring the user to provide only something that they know, in this case a “secret” known only to the user and the system to which they are authenticating. However, several factors now make passwords a very weak method of protecting systems from unauthorized access.
First, attackers can break passwords with enough time and the right tools. Today’s faster processors enable malicious attackers to crack passwords (even those with strong encryption) in hours or even minutes, depending upon the nature of the password. While this is more of a technology vulnerability, it is important to mention because of the next point. In order to prevent successful password cracking, administrators can enforce password complexity rules. These rules, when configured on systems, force users to create passwords that meet specific constraints designed to ensure that passwords cannot be cracked within a short period of time.
Rules typically include length of password (over 12 characters), and require passwords to include one or more numbers, special characters, lowercase letters and upper case letters. The problem with passwords and personnel is that complex passwords are difficult to remember. For this reason employees will write down the passwords (which may eventually be found by others) or create passwords that, in spite of the complexity rules, certain password cracking software such as “John the Ripper” can break by using familiar names, repeat characters, phone numbers, the address of the company, or other human predictable password choices.
John the Ripper and other similar password cracking software packages able to break passwords faster because they support the use of (human predictable) password lists that the software can try first before proceeding into brute force cracking mode (essentially guessing at high-speed). Through the use of such lists, password cracking time is greatly reduced unless additional password complexity rules (such as disallowing use of dictionary words) are strictly enforced.
Of course password complexity rules do not prevent users from writing down their passwords, eventually retrievable through “dumpster diving” if and when the paper containing their passwords ends up in the trash bin.
Contact us today for help establishing, implementing and maintaining a company-wide password complexity policy that secures your applications and systems.