Passwords are a secret used to prove your identity to a computer. We have come to rely on passwords to protect access to important things such as email accounts and bank accounts. The most commonly used type of password is a “static” password, a password that does not change when used. An example of a static password is the PIN that you use to access your ATM or the password that you use to access facebook. Static passwords are oftened used because they are cheap to implement and are well understood by the general public.
An improvement to static passwords is the one-time passwords. Most one-time password systems require the uses of hardware or specialized software, so they are much more costly to implement versus a static password. They are usually harder to support as well. (These factors are part of the reason why online banking is not protected with one-time password.)
When it comes right down to it, static passwords are really not a great way to prove identity. Password programs such as brutus, cain and abel, and thc-hydra are examples of programs that make password guess very easy.
While the above programs make password guessing simple, they are not the only threat to static passwords. Phishing attacks are designed to steal passwords by simulating a real web site that traditionally asks for your password. These attacks have been stealing passwords from ebay accounts, banking accounts and even facebook accounts. Phishing attacks usually start as an email message that comes from ebay or your bank asking you to confirm your account by logging into a website. More sphisticated ones will usually say that there is a fraudulent charge that has been posted to your account and you need to login in if you wish to dispute it or some other trouble with your account.
So, with these issues, what is a good password? Since we are currently stuck with passwords, they need to be complex enough to not be easily guessed. Might sound easy, but people publish lists of passwords. For examples of easily guessed passwords, check out this blog posting. Another good example is the openwall project’s list.
While passwords need to be complex, they also need to be simple enough to be easily remembered. An article by Mark Pothier in the Boston Globe discusses Microsoft researcher Cormac Herley’s estimates on the costs associated with password resets and makes a case that complex, hard to remember passwords are not often worth the expense.
So, what is a good password? I still vote for a complex password that is regularly changed. Why? Well, in most of the network penetration tests that I perform, I have often found that a weak password exists and allows unauthenticated access to critical resources. Until a better method of user authentication exists, we are stuck with having to better manage our weak passwords. And remember, it needs to be changed regularly to limit the potential for misuse if it is captured, but not too often that you forget it.