![]("http://techupdate.zdnet.co.uk/i/z/tu/b/builderlogo.gif")
Sure, passwords alone can't secure your Web-based system. But you can still take measures to make them more effective. For one thing, you can build in some functionality that forces your users to adopt strong passwords. You can also carefully consider where you store those passwords and take advantage of encryption classes to protect them.
Strong passwordsDon't dismiss the importance of using strong passwords. Sometimes, passwords are the only barrier between hackers and a series of potentially harmful operations. Strong passwords meet at least the following requirements:
- They're at least eight characters long; 12 or more is better.
- They contain elements from any of the following groups: lowercase letters, uppercase letters, nonalphanumeric symbols (punctuation, *, #, $, and so forth), and digits.
- They expire frequently -- every 90 days or sooner.
You can require as policy that a password history be maintained to prevent the same password from being renewed over and over. Other, stricter rules are also possible, such as requiring certain elements to appear in specific positions within the password. Of course, longer or more complex passwords do not eliminate the risk of brute-force attacks, in which hackers try all possible combinations of characters to guess the right password. Still, the longer thepassword is, the more time it will take to crack. This fact, combined with an effective auditing policy, should significantly increase the likelihood of detecting the attack. Look at the numbersIf you're not convinced of the importance of strong passwords, have a look at Table A, which shows the possible combinations of strings that a brute force attack must walk through to guess a password. Let's say that you think a five-character password consisting only of lowercase or uppercase letters will suffice. Given a 26-letter alphabet, the number of five-character substrings is obtained through the following formula, in which the ! symbol denotes the factorial of the number: 26! / (26-5)! * 5! The table shows how the number of combination changes according to the alphabet and the password length. Table A
|
A hacker would probably employ an optimised combinatorial algorithm, making the effective number of attempts even smaller. However, my goal here is to show the order of magnitude by which your password security grows if you only make the password longer or add an extra group of characters.
