The last article introduced the concept of a security guide – but what is it?
In many cases a security guide is a binder full of often vague, occasionally overly specific and sometimes conflicting requirements. It has usually grown and evolved over a number of years and is written by and for people. Thus, many of the requirements must be interpreted.
Consider a requirement that might be in a security guide: passwords must be secure.
Helpful, isn’t it? What does this really mean? Passwords must be resistant to brute force attacks? Passwords must be difficult to guess? Passwords can’t be shared? Passwords can’t be written down? You can’t have the same password for different accounts and systems?
All of these are good. Under certain circumstances. But what does this actually mean?
In some cases it simply means that people will be charged with violating company security policy if their password is ever mis-used! A recent Dilbert cartoon captured this nicely: “we trained them to lie by punishing honesty” (paraphrased).
Helpful. Really helpful…
Much better is telling people what to do. The SANS Password Construction Guidelines is a good start, as well as the complementary Password Protection Policy. It tells you how to construct a strong password:
Strong passwords have the following characteristics:
- Contain at least 12 alphanumeric characters.
- Contain both upper and lower case letters.
- Contain at least one number (for example, 0-9).
- Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:”;'<>?,/).
Poor, or weak, passwords have the following characteristics:
- Contain less than eight characters.
- Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
- Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
- Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
- Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
- Contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret).
- Are some version of “Welcome123” “Password123” “Changeme123”
This is much better! The key point is that we have gone from a completely abstract passwords must be secure to a set of discrete measurable rules. If it can’t be measured, it is nothing but opinion…
Note that these specific requirements may not meet your needs – for example, you may determine that 12 character passwords and not required, and that 8 characters is sufficient. You may discover that some of your software doesn’t allow special characters. Or you may have realized that passwords simply do not provide adequate security and have implemented a more robust authentication method like multi-factor authentication.
But we’re getting ahead of ourselves. We will lay out some basic requirements for a security guide in the next post.
techponder 
Is there a reason you left # and @ out of the special character list?
One thing I hate is sites that have special requirements for passwords that make my easy to remember but hard to guess password (that meets your criteria) unacceptable. The site never gives a list of their requirements until you have to reset the password, then I remember how I altered my password scheme to meet their unique requirements.
Well, technically, it wasn’t me leaving those characters out – these guidelines are from the SANS Institute. But you have a good point. They probably excluded them because these characters are commonly used delimiters.
And I completely agree with you on all the strange requirements different sites and applications have! Especially ones that limit you to a 10 or 12 character maximum. If it is a site that I care about, I tend to use generated passwords and keep them in a password manager.