Password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols, when allowed, for the same number of characters. The difficulty in remembering such a password increases the chance that the user will write down the password, which makes it more vulnerable to a some other attack (in this case, the paper being lost or stolen and the password discovered).
Whether this represents a net reduction in security depends on whether the primary threat to security is internal (e.g., social engineering) or external.
A password can, at first sight, be random, but if you really examine it, it is just a pattern. One of these types of passwords is 26845.
Although short, it is not easily guessed. However, the person who created the password is able to remember it because it is just the four direction keys on the square number board (found at the right of most keyboards) plus a five in the middle. If you practice it, it is just one swift motion of moving two fingers around the board (which is very easy to use).
Forcing users to use system-created random passwords ensures that the password will have no connection with that user and should not be found in any dictionary.
Several OSs have included such a feature. Almost all the OSs also include password aging; the users are required to choose new passwords, regularly, usually after 30 or 45 days. Many users dislike these measures, particularly when they have not been taken through security awareness training. The imposition of strong random passwords may encourage the users to write down passwords, store them in personal digital assistants (PDAs) or cell phones and share them with others against memory failure, increasing the risk of disclosure.
The general guidelines applicable to the password policies, which can be implemented organization-wide,are as follows:
- Passwords and user logon identities (IDs) should be unique to each authorized user.
- Passwords should consists of a minimum of eight alphanumeric characters (no common names or phrases)
- These should be computer-controlled lists of prescribed password rules and periodic testing (e.g., letter and number sequences, character repetition, initials, common words and standard names) to identify and password weaknesses.
- Passwords should be kept private, that is, not shared with friends, colleagues, etc. They shall not be coded into programs or noted down anywhere.
- Passwords shall be changed every 30/45 days or less. Mot operating systems (OSs) can enforce a password with an automatic expiration and prevent repeated or reused passwords.
- User accounts should be frozen after five failed logon attempts. All erroneous password entries should be recorded in an audit log for later inspection and action,as necessary.
- Sessions should be suspended after 15 minutes (or other specified period) of inactivity and require the passwords to be re-entered.
- Successful logons should display the date and time of the last logon and logoff.
- Logon IDs and passwords should be suspended after a specified period of non-use.
- For high-risk systems, after excessive violations, the system should generate an alarm and be able to simulate a continuing session (with dummy, data) for the failed user (to keep this user connected while personnel attempt to investigate the incoming connection).
Similarly, netizens should practice password guidelines to avoid being victim of getting their personal E-Mail accounts hacked/attacked by the attackers.
- Passwords used for business E-Mail accounts, personal E-Mail accounts (Yahoo/Hotmail/Gmail)and banking/financial user accounts (e.g., online banking/securities trading accounts) should be kept separate.
- Passwords should be of minimum eight alphanumeric characters (common names or phrases should be phrased).
- Passwords should be changed every 30/45 days.
- Passwords should not be shared with relatives and/or friends.
- Password used previously should not be used while renewing the password.
- Passwords of personal E-Mail accounts (Yahoo/Hotmail/Gmail) and banking/financial user accounts (e.g., online banking/securities trading accounts) should be changed from a secured system, within couple of days, if these E-Mail accounts has been accessed from public Internet facilities such as cybercafes/hotels/libraries.
- Passwords should not be stored under mobile phones/PDAs. as these devices are also prone to cyber-attacks.
- In the case of receipt of an E-Mail from banking/financial institutions, instructing to change the passwords, before clicking the weblinks displayed in the E-Mail, legitimacy of the E-Mail should be ensured to avoid being a victim of Phishing attacks.
- Similarly, in case of receipt of SMS from banking/financial institutions, instructing to change the passwords, legitimacy of the E-Mail should be ensured to avoid being a victim of Smishing attacks.
- In case E-Mail accounts/user accounts have been hacked, respective agencies/institutes/experts should be contacted immediately.