692    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

                 Passwords act as a secret between the system and the person, allowing entry
             only to those with the correct password and denying entry to those who fail to
             provide one. Unfortunately, while the system can keep a secret, people often
             cannot. For example, a secretary may give a temporary employee her password so
             they do not have to go through the trouble of applying for additional access.
             Another may write a password down on a piece of paper and tape it to the mon-
             itor. In both of these cases, people obtain unauthorized access by sharing a pass-
             word. Because of the importance of password protection, a policy should state that
             users are responsible for their accounts and anything that is done with them.

             Strong Passwords

             Even if a user is protective of their password, it can still be cracked through the use
             of tools or by simply guessing the password. Passwords that are words can be
             cracked using a dictionary hacking program, which goes through words found in a
             dictionary. In addition to this, hackers can easily guess names of family members,
             pets, or other interests. Strong passwords are more difficult to guess and cannot be
             cracked using dictionary hacks. Using a combination of two or more of the fol-
             lowing keyboard character types can create strong passwords:

                  ■   Lower case letters (a through z)

                  ■   Upper case letters (A through Z)
                  ■   Numbers (0 through 9)
                  ■   Special characters (({}[],.<>;:’”?/|\`~!@#$%^&*()_-+=)

                 Strong passwords can still be cracked using a program that performs a brute-
             force attack (covered in Chapters 9 and 2), that tries to determine the password by
             using all possible combinations of characters in a password, but hacking a password
             in this manner can take a considerable amount of time.
                 Longer passwords make it more difficult for brute-force hackers to crack a pass-
             word, so the policy should specify a minimum password length. For example, a
             policy may state that passwords must be at least eight characters long.

             Password Changes and Restrictions

             Passwords should be changed after a set period of time, so that anyone who has a
             particular password will be unable to use it indefinitely, and others will have more
             difficulty guessing it.A common recommendation is forcing users to change pass-
             words every 45 or 90 days, at the most.While changing it often is more secure, it




          www.syngress.com