Password Selection Strategies

A password is a sequence of characters that allows access to a computer system, service or application. The front line of defense against the cyber-attacks is the use of the password system, where a user provides a login identifier (ID) and a password. The users supply both Login ID-to determine privileges of that user and Password-to identify them. The password serves to authenticate the ID of the individual logging on to the system. Passwords are usually stored encrypted rather than in the clear.  Most of the systems and applications use a cryptographic hash function that is message digest (MD5), or SHA-1 or any cryptographic algorithms. The file containing these passwords hashes needs access control protections to make guessing attacks harder. The password selection strategy helps to eliminate guessable passwords while allowing user to select a memorable password. There are four basic techniques which are in use for selecting the password:

  • User Education
  • Computer-generated passwords
  • Reactive password checking
  • Proactive password checking

User Education

The user education strategy tells users the importance of using hard-to-guess passwords and provides guidelines for selecting strong passwords, but it needs their cooperation. The problem is that many users will simply ignore the guidelines. Some guidelines for selecting a good password are:

  • Use  mix of upper and  lower case letters, numbers, punctuation and special symbols
  • Don’t use your login name
  • Don’t use your first or last name
  • Don’t use your spouse’s or child’s name.
  • Don’t use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
  • Don’t use a password of all digits, or the entire same letter. This significantly decreases the search time for a cracker.
  • Don’t use a word contained in English or foreign language dictionaries, spelling lists, or other lists of words.
  • Don’t use a password shorter than six characters.
  • Use a password that is easy to remember, so you don’t have to write it down.
  • Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.

The main problem is that many users will simply ignore the guidelines.

Computer-generated passwords

This strategy let computer create passwords. If the passwords are quite random in nature, users will not be able to remember them. Even if the password is pronounceable, the user may have difficulty remembering it and so be tempted to write it down even pronounceable not remembered. It has history of poor user acceptance.

Reactive password checking

A reactive password checking strategy is one in which the system periodically runs its own password cracker to find guessable passwords. The system cancels any passwords that are guessed and notifies the user. Drawbacks are that it is resource intensive if the job is done right, and any existing passwords remain vulnerable until the reactive password checker finds them.

Proactive password checking

 The most promising approach to improved password security is a proactive password checker, where a  user is allowed to select his or her own password, but the system checks to see if it is allowable and  rejects it if not. The trick is to strike a balance between user acceptability and strength. 

Author: Dilli Pd. Sharma