I am often asked by customers about how to create a good password? How should show choose their password or what is a good password policy? Well, the word « good password » must be defined. A good password must be strong as in difficult to guess or brute force, but it must also be easy to understand.
The strength of a password is directly proportionate to its entropy, or the number of possible choices someone has when it tries to guess it. And this is where the password policy can be misleading. Let’s take the following policy that many would consider a good practice.
At least 8 characters, lower cases are allowed but at least one upper case character
and a digit must be included.
They are going to hard code it in their directory services and their applications, so that any new password that is not compliant is rejected. The entropy of these passwords is in theory 62^8. But in most of the cases, the entropy will be much less than that because most of the users only use one or two upper case characters. For users with only one digit and one upper case, the entropy will be 56x10x26^7, much much less than 62^8!
So the mandatory digit and upper case character did not increased significantly the entropy and the security and makes password much more difficult to remember.
Another problem with this policy is that the password will tend to be 8 characters and very difficult to guess. Try to remember: S9F2hslj.
A good password policy is to use a passphrase. Something like « afastcarformeanicedressforyoulifeissimple » would be a very strong password with an entropy of 2^41. Good luck with that. And the provocative joke will make it easy to remember.
The easiness of use is probably the largest advantage. Hard to remember passwords always end written somewhere in a computer file, on a paper note in a drawer or even worse on a paper note on the desk.
So when do you use a passphrase for your password? Tomorrow is too late.
« How to successfully deploy a SIEM solution?