If you’re planning to take the Security+ exam, you should have a good understanding of important password security concepts such as using strong passwords.
Here’s a sample practice test question:
Q. An outside security auditor recently completed an in-depth security audit on your network. One of the issues he reported was related to passwords. Specifically, he found the following passwords used on the network: Pa$$, 1@W2, and G7bT3. What should be changed to avoid the problem shown with these passwords?
A. Password complexity
B. Password length
C. Password history
D. Password reuse
Can you answer this question? More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Using Strong Passwords
One method used to make passwords more secure is to require them to be strong. A strong password is at least eight characters in length, doesn’t include words found in a dictionary or any part of a user’s name, and combines three of the four following character types:
- Uppercase characters (26 letters A–Z)
- Lowercase characters (26 letters a–z)
- Numbers (10 numbers 0–9)
- Special characters (32 printable characters, such as !, $, and *)
A complex password uses multiple character types, such as Ab0@. However, a complex password isn’t necessarily strong. It also needs to be sufficiently long. It’s worth noting that recommendations for the best length of a strong password vary depending on the type of account. In the past, experts have recommended lengths of 8 characters, 10 characters, and more. As of January 2016, Microsoft recommends a password length of at least 14 characters. Organizations often require administrators to create passwords at least 15 characters long. A key point is that longer passwords are more secure and short passwords of 4 or 5 characters are extremely weak.
The combination of different characters in a password makes up the key space, and you can calculate the key space with the following formula: C^N (CN). C is the number of possible characters used, and N is the length of the password. The ^ character in C^N indicates that C is raised to the N power.
For example, a 6-character password using only lowercase letters (26 letters) is calculated as 26^6 (266), or about 308 million possibilities. Change this to a 10-character password and the value is 26^10 (2610), or about 141 trillion possibilities. Although this looks like a high number of possibilities, there are password-cracking tools that can test more than 20 billion passwords per second on desktop computers with a high-end graphics processor. An attacker can crack a 10-character password using only lowercase characters (141 trillion possibilities) in less than two hours.
However, if you use all 94 printable characters (uppercase, lowercase, numbers, and special characters) with the same 6- and 10-character password lengths, the values change significantly: 94^6 (946) is about 689 billion possibilities, and 94^10 (9410) is about 53 quintillion. That’s 53 followed by 18 zeroes.
You probably don’t come across quintillion very often. The order is million, billion, trillion, quadrillion, and then quintillion. The password-cracking tool that cracks a lowercase password in 2 hours will take years to crack a 10-character password using all four character types.
Security experts often mention that if you make a password too complex, you make it less secure.
Read that again. It is not a typo.
More complexity equates to less security. This is because users have problems remembering overly complex passwords such as 4%kiElNsB* and they are more likely to write them down. A password written on paper or stored in a file on a user’s computer significantly reduces security.
Instead, users are encouraged to use passphrases. Instead of nonsensical strings of characters, a passphrase is a long string of characters that has meaning to the user. A few examples of strong passphrases are IL0veSecurity+, IL0veThi$B00k, and IWi11P@$$. Note that these examples include all four character types—uppercase letters, lowercase letters, one or more numbers, and one or more special characters. These passwords are also known as passphrases because they are a combination of words that are easier to remember than a nonsensical string of characters such as 4*eiRS@<].
Strong passwords never include words that can be easily guessed, such as a user’s name, words in a dictionary (for any language), or common key combinations.
Remember this
Complex passwords use a mix of character types. Strong passwords use a mix of character types and have a minimum password length of eight characters.
Q. An outside security auditor recently completed an in-depth security audit on your network. One of the issues he reported was related to passwords. Specifically, he found the following passwords used on the network: Pa$$, 1@W2, and G7bT3. What should be changed to avoid the problem shown with these passwords?
A. Password complexity
B. Password length
C. Password history
D. Password reuse
Answer is B. The password policy should be changed to increase the minimum password length of passwords. These passwords are only four and five characters long, which is too short to provide adequate security.
They are complex because they include a mixture of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters.
Password history and password reuse should be addressed if users are reusing the same passwords, but the scenario doesn’t indicate this is a problem.
You may also like to view these related blog posts: