The current trend for secure passwords is that we pick a word, change some of the characters around, and come up with what we believe is a good password, for example, picking on the word ‘password’, we might be tempted to turn it into a complex password by changing it to use upper case, lower case, special characters and numbers resulting in: Pa$$w0rd. This will comply with an 8-character complex password policy.

To make matters worse, the IT department may insist on us changing our password every 30 or 40 days. This encourages us to pick a simple short term memorable password which will contain an acquaintance’s name and date. If, for example, we might have a friend named Mary who we know was born in 10 December 1995, we could use the password Mary10Dec1995. This will comply with the Microsoft complex password policy requiring three of the four upper and lower case, special characters and numbers, but a simple search of a user’s social media pages exposes such a password.

So, what should we do? At work, the password policy is managed by your Domain Administrator. While your admin may require a complex ten-character password, you are not restricted in making it more complex. A password greater than 14 characters makes it more difficult for hackers to extract your password from a computer without keyloggers, as the time-honoured LAN Manager / New Technology LAN Manager hashing system then stores an invalid hash of the password which cannot be used to authenticate the user. In this case, we force Kerberos authentication, which may stop us connecting to NT4/Windows98 machines, but these days it would be pretty rare.

For users, then: create a pass phrase. A pass phrase such as, ‘I have 2 pets, a cat named Fluffy and a dog named Woofy’ would take a lot longer to crack as it has 55 characters and complies with complexity requirements. We would, of course, not use the names of our pets, but this is just an example of how we can formulate our passwords.

For administrators: Increase the password expiry to 90 or 120 days, and run L0phtCrack – with the permission of management, of course – after which a password change for users would be necessary. This will expose weak passwords generated by users. Service passwords should be using Managed Service Accounts, which on a Microsoft system generates passwords greater than 100 characters every 30 days for those services using the Managed Service Account system.

Stay safe, Terry Griffin



Feature Articles


Blog
The Philippines' National Cyber Security Plan 2023-2028: Roadmap to Cyberspace Resilience
By Justin Luna | 28 August 2024
Blog
2024-2025 Government Budget: Focusing investment in cyber security skilling
By Jeremy Daly | 1 July 2024
Read
Blog
20 Tips for Secure Cloud Migration, Supported with ISC2 CCSP Training
By Jeremy Daly | 14 March 2025
eBook
The Ultimate Guide to the CCSP
By Lumify Work Team and ISC2 | 14 March 2025
Blog
Transforming the Philippine Workforce: The National AI Strategy and AI Skills Development
By Chloe Villanueva | 18 December 2024
Case Study
Boosting Government Cyber Security: The Impact of ISC2 CLSSP Certification in COMELEC
By Chloe Villanueva | 19 December 2024
News
Lumify Work Product Manager Achieves Triple Ambassador Status with PeopleCert
By Lumify Work Team | 17 March 2025