In honor of Cybersecurity Awareness Month, as posted in a recent blog by Jon Oltsik, I’m taking a detour from network-specific topics by discussing an issue that almost everyone has to deal with, which is “how strong is my password?” Here’s pop-quiz based on a XKCD comic on that topic.
Question: Which one of these two passwords is stronger? (i.e., harder to guess by computer)
- “Tr0ub4dor&3” (that’s troubadour in leetspeak)
- “correct horse battery staple” (I inserted the spaces between the four words to make it easier to read)
Some people are surprised to learn that the second one is better and more difficult to guess. The benefits of the second choice is that it is:
- Longer – more characters makes it harder to guess by brute force. Compare 3 days vs. 550 years.
- Easier to remember – this makes it less likely you will write it down and post it on your monitor.
It doesn’t help that some websites force you to use non-alpha numeric characters, and on top of that, they require passwords to be only between 4 and 8 characters, which makes them easier to guess. This is described in an article by Ken Guzik who states that there’s a great amount of inconsistency in passwords accepted by websites. Some don’t even tell you what’s acceptable until you try to enter them and the site rejects them.
Going back to the networking world, let’s look at what Cisco IOS 12 allows in the enable secret command to establish password protection to restrict access to the network or devices.
- Maximum 80 characters. This is great, since it can be long.
- First character cannot be a number.
Remember to use the enable secret command as opposed to the older enable password command, which is less secure. The enable secret method also stores the password using a non-reversible cryptographic function.
Specific systems like the Cisco ASA VPN also accept the use of multi-factor authentication, which is good for enterprise security, especially in a distributed environment since it will require a password (something you know) plus something you have.
Multi-factor authentication has recently found its way into many consumer services. You may be pleased to discover that many banks, web services, and cloud apps now accept them. It may be based on hardware tokens, such as RSA SecurID or Yubico's Yubikey, phone-based SMS, or software tokens in PC or smartphone-based apps. Some companies such as Symantec VIP or Duo Security offer both hard and soft tokens. Regardless of which route you take, it's better than just using passwords.
I wrote an earlier blog on All I Need to Know about Cyber Security, I Learned in an NSA Pamphlet for Securing Home Networks, which points to resources on many consumer guidelines for security. In addition, a good article on choosing and protecting passwords is available here.