Password security best practices: Change passwords to passphrases

Making passwords more complex hasn’t stopped hackers. Learn why passphrases are better, and surprisingly easy for users to remember.

Weak password, strong password, temporary password, password reminder, forgotten password, password reset, password fatigue, password overload: Whether you’re a user or system administrator, passwords are part of our everyday lives.

A password of “Zq!5$7é”, when run through a brute-force password-cracking tool, would be cracked before “Password1”, as it is two characters shorter.

Although passwords have suffered through a lot of bad press, there’s still no universally accepted alternative. So despite their weaknesses, both in terms of security and practical use, we still use them.

Or should that be misuse them? Based on data from real-world investigations and compliance management vendor Trustwave’s 2012 Global Security Report, the most common password used by global businesses is “Password1”! This is an unbelievable statistic, and it shows that many administrators don’t understand how to make password-based access policies more robust.

This tip will offer analysis on the state of password security best practices in the enterprise. I’ll look at the best types of passwords, and discuss the most important ingredient for creating a strong password.

Password security best practices
The first passwords any administrator must review are those tied to a service account. Service accounts are used by a variety of applications to access other services such as databases and backup programs. Many are created automatically with a well-known default password when a software program is installed. Administrators responsible for these service accounts should change the default password to a strong one right away (and I will come onto what constitutes “strong” shortly). This is clearly still an area that is being overlooked by IT staff, as Trustwave found weak and/or default credentials were one of the primary weaknesses exploited by attackers to propagate an attack once one machine had been compromised.

Next on the list of best practices for administrators is eradicating shared passwords among services and machines. Yes, having a shared local administrator password makes managing a large number of machines easier, but by cracking or guessing just one password, an attacker can immediately gain extensive control over the network. This also applies to accounts that are used by common services across multiple machines that typically require domain administrative privileges (an obvious one being accounts used to run backup software). Hacking tools such as Medusa will check whether a compromised account is used elsewhere on other machines, so all of these accounts should be assigned their own unique password.

Finally, new employee accounts need to be assigned strong passwords. Passwords such as “Welcome” or “ChangeMe” may appear friendly or helpful to new users, but are not secure. Users must be required to change their assigned password once they have successfully logged on for the first time.

Types of passwords
Users aren’t particularly creative when it comes to choosing a password, and originality tends to diminish quickly with each successive change. A typical password references favourite people, pets, teams, heroes and places. If a password policy requires numerals, many users simply add a number to the end of a base password and increment it whenever they are required to change it or append the date instead. The most common sequence for passwords appears to be six letters and two numbers, followed closely by seven letters and one number. This is probably because eight characters tends to be the required length for many Active Directory installations.

More on password security

A pen tester’s perspective on secure passwords

Considering alternatives to passwords

This kind of predictability makes life easy for an attacker, even though most of these passwords would be classified as strong. They meet complexity requirements because they contain the minimum number of characters and include a couple of character variations. For example, the Active Directory password-complexity policy states that a password is required to have a minimum of eight characters and three of the five character types (lowercase, uppercase, numbers, special, unicode.) This may sound onerous, but “Password1”, “Password2”, and “Password3” fully meet these requirements. They meet the same complexity requirements as “Zq!5$7é”, but are far more memorable; a key requirement for any password. (This is why users who do use complex passwords often write them down on a Post-it note, which is then stuck to the monitor or the underside of their keyboard.)

But which is more secure, “Password1” or “Zq!5$7é” ? I would certainly never guess the second password, but I would probably try “Password1” if I had to guess an individual’s password or was trying to log on to his or her machine. Most hackers aren’t constrained by three failed attempts locking them out; they first steal the file containing account passwords and then use a password-cracking tool to discover the passwords at their leisure.

Adding complexity, such as character substitution where “ManUnited” becomes “ManUn1t3d”, may help defend against what's called a dictionary attack, in which many common passwords are guessed in rapid succession, because it isn’t in the dictionary. But any serious attacker is going to use a brute-force password-cracking tool that uses all possible character combinations, so because “ManUnited” and “ManUn1t3d” are both nine characters long, the time required to crack them would actually be the same. And a password of “Zq!5$7é”, when run through a brute-force password-cracking tool, would be cracked before “Password1”, as it is two characters shorter.

Thus, simply adding complexity to a password does not make it inherently more secure.

Passphrases: The importance of password length
Increasing the number of characters in a password dramatically improves security. Every additional character increases the number of possible combinations exponentially, making brute-force attacks on longer passwords far harder, and ultimately impractical, for hackers to crack.

The term passphrase has never really caught on, but if users begin to think of their passwords as passphrases, then the problem of weak passwords can easily be overcome. “ManUnitedAreTheBestTeamInTheUk” is a far stronger password than “Zq!5$7é”, even though it only contains letters. It is a lot harder to guess than “Password1”, yet remains easy to remember for the user. It may take a little longer to type than a standard eight-character password, but is probably easier for most people to type accurately than “Zq!5$7é”.

Long passphrases should be a best practice for both administrators and users. Length is one of the few effective controls left when it comes to making passwords more robust, and thinking of a password as a passphrase opens up the possibilities of length and memorability without undue complexity.

About the author:
Michael Cobb, CISSP-ISSAP is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of’s Security School lessons.

Content Continues Below

Read more on Identity and access management products