Hardening Your Systems with Strong Passwords

Problem

Short, guessable passwords represent a serious security risk to your servers and the services that run on them. You want a reliable system for creating sufficiently strong passwords or passphrases, and a way to manage them.

Solution

Generating strong passwords or passphrases is one of the most important things you can do to protect your servers and data. Here are some basic properties of a good passphrase:

  • Only you should know your passphrase.
  • It should be long enough to be secure.
  • It should be hard to guess, even by those who know you well.
  • It's critical that your passphrase be easy for you to remember.
  • It should be easy for you to type accurately.

To generate sufficiently strong passphrases you can use the Diceware method, which selects components of a passphrase randomly using dice. Here's how it works:

  1. Obtain a copy of the Diceware word list (). This list has two columns: the first contains five-digit numbers; the second contains short, memorable words or syllables. A small portion of this word list looks like: 

    63461 whale
63462 wham
63463 wharf
63464 what
63465 wheat
63466 whee
63511 wheel

  2. Roll a die five times, producing a five-digit number, with each digit being a number between 1 and 6. Using this number as an index in the word list, add the corresponding word or syllable to the passphrase. For example, say you roll a die five consecutive times get the numbers (in order) 6, 3, 4, 6, and 5. These numbers together form the number 63465, which you use to look up the word "wheat" from the word list. This becomes the first part of your passphrase. Repeat this process five or six times, and you'll have a passphrase like: 

    wheat $$ leer drab 88th

Notice that this command produces a passphrase that is 23 characters long, yet easy to remember. You can repeat this process for all the various systems that need strong passwords.

The point of them being easily memorized is to keep you from ever writing them down. However, most developers have dozens of passwords to keep track of. This reality forces people to use the same password for many systems or write down the passwords for each system.

One solution is to use a password managing program that stores and organizes all your passwords in an encrypted format. These programs require a single master password for access, and often allow you to organize usernames and passwords into groups. An excellent example of these programs is KeePass (Windows) or KeePassX (a cross-platform port of KeePass). shows how KeePassX can help you manage a large amount of authentication information in one secure place.

Figure 11-1. The KeePassX password manager

If you choose to use a password manager, the strength of the master password is critical to the security all of the systems that you store information about. Extra care should be taken to keep this password safe. Also, you should always make backups of the database used by your password manager in case of disk failure or data loss.

Discussion

A passphrase is similar to a password in usage, but is generally longer for added security. A natural tendency is to choose passwords that are short and therefore easy to remember and use. Many people just don't realize how advanced password cracking software has become, and how easily modern computers can crack short passwords by brute force. The solution describes a system for choosing long yet memorable passphrases that will go a long way toward making your servers, services, and applications more secure.

Password strength can have different meanings depending on the context of the situation in which the password is being used. One factor in gauging a password's strength is the length of time a hacker has in which to crack the password before the information being hidden no longer needs securing. It doesn't matter if a password is cracked after the data it protects has ceased to be valuable.

Another factor is the importance of the information being protected by the password. A database containing hundreds of thousands of credit card numbers is worth a lot of money, and someone who wants to steal those numbers will be willing to go to great lengths. Systems that access valuable data like this need very strong passwords, as well as other protections. On the other hand, a WEP password protecting your home wireless network may not be worth a serious password-cracking effort.

See Also