FREE Download!! Create your own SSO requirements profile. - This paper surveys the landscape of existing Single Sign-On architectures and technologies and examines their impact on enterprise security and the TCO.

Below is a list of information requiring protection; some of the items are personal and some involve highly sensitive business or government information:

One of the great obstacles to effective password creation is laziness. We all want to have something easy to remember so we tend not to be very careful or creative in devising passwords. Then you have to take into account a company's policy on password security. Most companies have a policy in place that forces all users to create a new and unique password each month. What winds up happening is that end users simply add a numerical digit to the end of their last password. If the password is "dog", then the new password becomes "dog1", eventually growing to "dog11". This sort of password creation technique is insecure and it doesn't help matters when an end user writes their password on a sticky note and places it under their keyboard or right on their monitor.

Many users believe that their desk drawers are sufficiently secure for hiding passwords. Another common place for storing passwords is on a PDA, which would be fine if PDAs were never lost or stolen. There are in fact security solutions for PDAs, such as PDA Secure, a program that adds protection to your PDA via encryption (see Resources for a link). But the best advice is to avoid storing passwords on your PDA or obvious places such as desk drawers altogether.

As a security analyst, I am regularly asked for my advice on creating an effective password scheme while maintaining the integrity for multiple platforms. In the next few sections, I hope to provide some useful ideas.

Ineffective passwords

The most important thing to remember is that any password you create is vulnerable to attack, which is called password stealing or cracking. This is the exploitation of your credentials via unauthorized access. The article Introduction to password cracking (see Resources) provides details on password cracking techniques.

The first step in good password design is to look at what not to do when creating passwords. First off, avoid dictionary words. Any word that comes from the dictionary is susceptible to an attack and eventually will be cracked unless you change it often. The major problem with creating passwords from dictionary words is that any password-cracking tool can eventually guess it using a dictionary attack. Also, you never want to write a dictionary word backwards or add a simple numerical value after the dictionary word. These same password-cracking tools try these combinations as well. Here are some examples of bad passwords:

• Cracker
• Cracker1
• Rekcarc

These are all very susceptible to exploitation. Here are a few other things to avoid when creating a password:

• Never use personal information as the basis of a password. If you are a Star Trek fan, for example, don't set all your passwords to "Spock", "Vulcan", or even "Spock1". These are easily guessed by anyone who knows you.
• Sports fans just can't help themselves. I have known several administrators who have used their favorite team or player as the basis for a password.
• Don't use passwords based on what you keep on your desk. I hacked into a client's server using his daughter's name after seeing a picture of her on his desk.
• Don't keep password files on your local machine or a network share. This is only secured via file level access, while the machine itself can be compromised. And if someone resets permissions on a folder and does it incorrectly, the folders underneath are also reset, compromising all passwords on the network.

How to create good passwords

Here are some general rules for creating effective passwords:

• The only safe place to keep a password is in your head or a locked safe, which only you know the combination to.
• Effective passwords need to be fairly long, but not so long that you can't remember them. Three-character passwords are too short.
• Use special characters, uppercase letters, and numerals in a logical manner. Here are some examples:
• Uppercase letters: Using uppercase letters in conjunction with lowercase letters will offer some protection if you have the functionality of "case sensitivity." You could then use the password "HeyYou", which is different from "heyyou". Adding uppercase letters adds a layer of complexity making passwords harder to crack.
• Special characters: Using special characters such as "#", or "%" also adds to complexity. Take the word "money", add the pound sign after it (money#) and you have a fairly effective password.
• Numerals: Using numerals also adds complexity to the mix. If your social security number is 123-45-6789, you can use the last four digits with an easily remembered word such as "money", making your password "money6789".
• Mnemonic phrases: If you're a phrase collector from movies or songs, you can take a great line and make it into a password. Let's say you're a Star Wars fan. You can take the phrase: "May the Force Be With You" and use the first character from each word to create the password "MTFBWY".
• Substitution: You can use a number or sign in substitution for a word. If you know that the "$" sign equals the word "money," then you can tie it into a password scheme such as "Ilove$". This is simple-to-remember password that is difficult to crack.

Next, we'll tackle the problem of creating effective password schemes for multiple systems.

Creating a password scheme that works

In this section we look at password schemes for personal, home-based machines, work-related systems and networks, and a password scheme specifically for Cisco routers and switches not employing the CiscoSecure-based Tacacs+. CiscoSecure is a product that uses the Tacacs+ protocol to allow routers and switches to have login authentication performed by an external source like a UNIX server instead of the typical login passwords kept on the devices themselves.

Zero in on your most relevant web site metrics FREE TRIAL Click Here - Track conversion step-by-step across any part of your web site with WebTrends Reporting Center 5.0.

Personal home-based PCs

An effective password scheme on home-based personal PCs uses a combination of the above theories. You'll want to make it fairly easy to remember because once you forget it, you'll have a problem getting into your machine without the skill set to break back in. You also need to consider the following:

• If you are running the Windows 9X platform, you don't need to worry about a password because passwords mean nothing to the security of the local machine. Your password is based on a profile, and if you press Cancel, you will bypass the machine's login. Also, a password-protected screensaver can be eliminated by rebooting the machine.
• If you are running the Windows NT, 2000, or XP platform, you want to make sure that you do not forget your passwords. You need to make sure you have the Administrator account locked down with a good password and that it is well hidden so that your machine won't be compromised. However, if you forget it, you want a way to get back in. This is accomplished by making a new account and password protecting it so you have a back door.

Home-based security is quite different from corporate security, so the guidelines are based on a person's level of comfort and paranoia. Here is an example of a password scheme for home use that is easy to remember: Use a mix of a pet names, upper and lowercase letters, with the last four digits of your social security number and a special character. The password you create might look like: Butch#8976

This example can also be used for Web sites, bank accounts, and other personal use systems. This type of password is virtually impossible to crack and is easy to remember.

Network administrator systems

What if you're in the unenviable position of a network administrator? Well, that's a little more difficult because you will be responsible for the passwords of many systems.

Password protection follows the same rules as before just on a wider scale. You will most likely have numerous systems to secure with passwords and what's more, you may even have levels of passwords depending on what type of access you want to grant users. In other words, you can have a Cisco router with multiple levels of login access, with each level giving more privileges.

You can use the same theories as listed in the first section of this article (uppercase, special characters, etc.) but with a new twist. Instead of picking a great name to remember, or a single word, you need to come up with a theme. Note: DO NOT use my example. It has been done before.

One of my favorite movies of all time is "Reservoir Dogs." In this movie, all the bad guys are given names based on colors: Mr. Black, Mr. White, and Mr. Pink. This theme can be tied into a password scheme for your network servers. Here is what it might look like:

Notice that each server has a password that includes the color and a special character (the same among them all) along with part of the server name. Also, notice the upper and lower case letter usage. The likelihood of these passwords being cracked is extremely slim. This is an example of a solid password scheme; it works and it is something you can remember with little effort. Again, you can (and should) customize this to your needs.

Intel® Solution Provider Locator Search for solution providers based on criteria such as location, area of business, industry focus, customer focus, solutions focus, technical area, and keyword.

Cisco administrator password schemes

The table below shows an effective password scheme for Cisco routers. Cisco routers require two levels of passwords: an initial password and an enable secret password.

Because Cisco routers accept case-sensitive passwords, you have a nice upper and lower case pattern here, special characters, and an easy-to-remember phrase.

For Cisco, you need an initial password to log into the router and a second level for more secure access, which you can configure as the enable secret password. This chart gives you an idea on how to configure this option. By making the password scheme relate to something you enjoy, such as a movie, you are more likely to remember it (not all security-related work needs to be a drag!); but more importantly -- make sure it's secure.

Summary

Passwords are a necessary, though inconvenient, part of our lives. All systems need them to have a simple-to-implement first level of access security. The question for IT professionals and users of all levels is how do we work with them and not go out of our minds? In this article we demonstrated how to effectively create individual passwords and password schemes. Passwords and password schemes need to be difficult to crack and easy to remember. Because passwords are a pain to remember and keep track of, people tend to put little effort into creating them, thus compromising their own security and the security of others. It's important to keep in mind, however, that no matter how effective the password or password scheme, there is always a level of risk associated with passwords.

• See the article Introduction to password cracking here on developerWorks for an overview of password cracking techniques.



• The SANS Institute Reading Room is an excellent resource for security-related issues. It can be found at: http://rr.sans.org/authentic/improve.php. Registration is required but is free and easy.



• An excellent overview of password security under UNIX can be found at: http://www.ja.net/CERT/Belgers/UNIX-password-security.html.



• An excellent overview of password security is provided by the University of Michigan, Information Technology Division at http://www.umich.edu/~policies/pw-security.html.



• PDA Secure application information can be found at http://www.trustdigital.com/prod1.htm.



• An intriguing paper from the Cambridge University Computer Laboratory entitled "The Memorability and Security of Passwords: Some Empirical Results" is available at: http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf (PDF format).

Robert J. Shimonski has numerous certifications and is a Lead Network and Security Engineer for a major manufacturing company. Robert's specialties include network infrastructure design, security design, and network management and troubleshooting using many products including firewalls and multiple Cisco products. Robert is the author of many security-related articles and published books, including the Sniffer Network Optimization and Troubleshooting Handbook and the upcoming Security+ Study Guide and DVD Training System both from Syngress Media, Inc. Read more about Robert at his site, http://rsnetworks.net, and be sure to check out his book on using Network Associates’ Sniffer Solutions suite of tools: Sniffer Pro Network Optimization & Troubleshooting Handbook.