Which of the following would is considered the strongest password?

Password Security

In the networking world, passwords (in combination with user account names) are normally the “keys to the kingdom” that provide access to network resources and data. It might seem simplistic to say that your comprehensive security plan should include an effective password policy, but it is a basic component that is more difficult to implement than it might appear at first glance.

In order to be effective, your password policy must require users to select passwords that are difficult to “crack” yet easy for them to remember so that they don't commit the common security breach of writing the password on a sticky note that will end up stuck to the monitor or sitting prominently in the top desk drawer.

A good password policy is the first line of defense in protecting your network from intruders. Careless password practices (choosing common passwords such as “god” or “love” or the user's spouse's name; choosing short, all-alpha, one-case passwords, writing passwords down or sending them across the network in plain text) are like leaving your car doors unlocked with the keys in the ignition.

Although some intruders might target a specific system, many others simply “browse” for a network that's easy to break into. Lack of a good password policy is an open invitation to them.

Strong passwords are more difficult to crack than simple ones. These types of passwords use a combination of keyboard characters from each of the following categories:

Lowercase letters (a–z)

Uppercase letters (A–Z)

Numbers (0–9)

Special characters (` ~ ! @ # $ % ^ & * ( ) _ + — = { } | [ ] \ :” ; ' < > ? , . /)

The length of a password also affects how easy it is to crack. You can use security templates and group policies to control how long a password is valid, the length of a password, and other aspects of password management. Another requirement that is important to having secure passwords is making sure that each time users change their passwords, they use passwords that are different from previous passwords.

To ensure domain controllers are secure, there are a number of password requirements that are enforced by default on Windows 2003 domain controllers:

The password cannot contain any part of the user's account name.

It must be a minimum of six characters in length.

It must contain characters from three of the four categories: lowercase letters, uppercase letters, numbers, and special characters.

The best security policies in the world will be ineffective if the network users are unaware of them or if the policies are so restrictive and place so many inconveniences on users that they go out of their way to attempt to circumvent them. The security plan itself should contain a program for educating network users—not only regarding what the policies are but also why they are important and how users benefit from them. Users should also be instructed in the best ways to comply with the policies and what to do if they are unable to comply or if they observe a deliberate violation of the policies on the part of other users.

Strong Passwords

Passwords are a key component of the default method of authentication for Windows and other software (such as database management systems). They are used to prevent unauthorized access to computers, networks, and other technologies by forcing anyone who wants access to provide a specific piece information, which should be known only to the authorized user.

Strong passwords are more difficult to crack than simple ones. These types of passwords use a combination of keyboard characters from each of the following categories:

Lowercase letters (a–z)

Uppercase letters (A–Z)

Numbers (0–9)

Special characters (` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : “ ; ‘ <  > ? , . /)

The length of a password also affects how easy it is to crack. The more characters used, the more variations of letters, numbers, and special characters the password can contain. You can use security templates and group policies to control how long a password is valid, the length of a password, and other aspects of password management. If you specify a minimum password length of at least seven characters, it will be harder to exploit the account accessed with this password.

In addition, you should avoid using passwords that contain your username, real names, or company name, because these make passwords easier to guess. You should also avoid using passwords that contain actual words that appear in the dictionary, because hacking programs can be used to crack such passwords.

Another requirement that is important to having secure passwords is making sure that each time users change their passwords, they use passwords that are different from previous passwords. All too often, users will use the same password over and over, modifying it slightly. For example, they might have the password “pass1” one month, and then change it to “pass2” the next. In other cases, they might simply change the password each month to the name of the current month (January, February, and so on). Again, ensuring each new password is different from previous passwords will make it more difficult for unauthorized persons to determine current passwords.

To ensure domain controllers are secure, there are a number of password requirements that are enforced by default on Windows 2003 domain controllers:

The password cannot contain any part of the user’s account name.

It must be a minimum of six characters in length.

It must contain characters from three of the four categories: lowercase letters, uppercase letters, numbers, and special characters.

Strong Passwords

Today there is no excuse for having an insecure password for your SQL Server. Most websites to which you connect, such as your bank and credit card websites, all require that you use a strong password of some sort. It is shocking the number of companies that don’t take these same techniques to heart for their internal security.

A strong password is typically defined as a password that contains at least three of the following four categories and is at least eight characters in length, although some companies may require longer passwords.

Lower-case letters

Upper-case letters

Numbers

Special characters

Now when it comes to passwords for accounts like the SA account, which are rarely if ever actually used by people, there’s no reason to stop there. The longer the password and the more special characters that you use in your password, the less chance that someone will be able to break into your SQL Server using this account. This same use of strong passwords should be used for any SQL Login that you create so as to better secure these SQL Logins against brute force attacks.

One thing that you can do to really secure your SA account is to use some high ASCII (American Standard Code for Information Interchange) characters within the password. This will basically make the account unbreakable to most of the people who use automated scripts to attack the SA password as all of them pretty much use the standard characters from the Latin alphabet. Inserting a character like a smiley face, which can be created by pressing <ALT>257 on your keyboard, will be outside the range of characters that are used by the password cracking program. By using this character, suddenly the word “Password” becomes a much more secure password as shown in Figure 3.2.

With a little creativity you could in fact turn the word “Password” into a truly strong and secure password. As shown in Figure 3.3, we’ve taken it to the extreme, replacing the letter S with the Hebrew Lamad, the letter O with a smiley face, and the letter D with a Dong Sign.

You can get more ideas on ways to replace characters with high ASCII characters from the character map that can be found within Windows. You can find the character map by clicking Start > Programs > Accessories > System Tools > Character Map. After the application loads, simply scroll down on the list of available characters until you find ones that you wish to use.

Now there is a catch with using these high ASCII characters for your SA password: If you ever need to log into the SQL Server using the SA account, you’ll either need to use the character map to get the characters, or you’ll need to know the <ALT> codes to access these characters.

The SA account needs to be the most secured account on your SQL Server for a few reasons, the most important of which is that the SA account has rights to everything and you can’t revoke its rights to do anything that it wants. The second reason is that the SA account has a known username since you aren’t able to change the username from SA to something else. Because of this, someone who is trying to break into your SQL Server doesn’t need to guess the username; he or she only needs to guess the password that reduces the amount of work needed to break into the SQL Server by half.

The most secure way to secure your sa account is to not enable SQL Authentication, which requires that all connections to the SQL Server come from a trusted computer that is authenticated against your Windows domain. Disabling SQL Authentication is a very easy change for you to make on your SQL Server. However, before you disable the SQL Authentication on an SQL Instance that is already in production, you’ll need to ensure that there are no applications logging into the SQL Server using SQL Authentication. Once this is done you can disable the SQL Authentication. Whenever possible, new SQL Server installations should be configured to use Windows Authentication only. SQL Authentication can be disabled by connecting the object explorer in SQL Server Management Studio to the instance in question, then right clicking on the Server and selecting properties. Select the Security tab on the right. In the Server Authentication section, select the Windows Authentication radio button as shown in Figure 3.4 and click OK. If you are using Enterprise Manager to configure SQL Server 7 or SQL Server 2000, the properties screen will look similar.

Now there is T/SQL code available to change this setting. However, the change is not a simple change via the sp_configure settings like most server wide settings. You have to update the registry using the xp_instance_regwrite system stored procedure from within the master database. The T/SQL code needed to change this setting is shown in Figure 3.5. As with all changes made to the registry (either directly or via this T/SQL script), incorrect values or changes will cause the SQL Server to behave incorrectly or to not start at all.

If you find that you need to allow both SQL Server Authentication and Windows Authentication, then using T/SQL use the same code as shown in Figure 3.5, replacing the last parameters value of 1 with a value of 2.

When making changes to the Server Authentication mode, either with the UI (User Interface) or via T/SQL, you will need to restart the SQL Instance. This is because the setting is a registry setting that is only read on the start of the instance and is not refreshed by the instance while the instance is running.

When doing the initial install of the SQL Server 2005 or newer instance, if you select Windows Authentication only the SQL Server will automatically disable the sa account for you. It does this because you aren’t prompted for a password for the SA account during the installation wizard when installing using Windows only authentication. Thus, if you were to later change from Windows Authentication to SQL Server Authentication, you would have the SA account enabled with no password allowing the SQL Server to be easily broken into.

Summary

Having strong and unique passwords is key to protecting yourself in today’s world on the Internet. While we like to think of the Internet as a nice peaceful place where everyone can get along, the reality is that the Internet is more like the Wild West than a peaceful place. There are lots of people out there who want to take your money and your identity and use it for their own purposes, which usually aren’t going to turn out well for you. Protecting yourself proactively is the only way to ensure that you aren’t taken advantage of online.

Strong Passwords

In discussing security awareness with your user community, one of the most critical issues to consider is that of password strength. A weak password will provide potential attackers with easy access to your users’ computers, and consequently the rest of your company’s network. Well-formed passwords will be significantly more difficult to decipher. Even though password-cracking utilities continue to evolve and improve, educating your users regarding the importance of strong passwords will provide additional security for your network’s computing resources.

According to Microsoft, a weak password is one that contains any portion of your name, your company’s name, or your network logon ID. For example, if a username was assigned as JSmith, and the user’s password was [email protected]!, that would be considered a weak password. A password that contains any complete dictionary word—password, thunder, protocol—is also considered weak. It should be understood that blank passwords are weak as well.

By comparison, a strong password will not contain any reference to your username, personal information, company name, or any word found in the dictionary. Strong passwords should also be at least seven characters long and contain characters from each of the following groups:

Uppercase letters A, B, C …

Lowercase letters z, y, x …

Numeric digits 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9

Non-alphanumeric characters !,*,$,}, etc.

Each strong password should be appreciably different from any previous passwords that the user has created. P!234abc, Q!234abc, and R!234abc, although each meeting the described password criteria, would not be considered strong passwords when viewed as a whole. To further complicate matters, an individual password can still be weak even though it meets the criteria. For example, IloveU123! would be a fairly simple password to crack, even though it possesses the length and character complexity requirements of a strong password.

Password Rule Hardening: Practices

It is important to have a strong password policy rule set to prevent brute force attacks into your login pages. These kinds of policies prevent continuous hacking script-bots from attempting multiple key or password combinations into the login portal before a successful one is used and finally found by trial and error (see checklist: “An Agenda for Action for Password Rule Hardening Best Practices”) [1].

An Agenda for Action for Password Rule Hardening Best Practices

Complex password requirements include the following key activities (check all tasks completed):

8–25 characters that require at least one capital letter, one unique character, (!, $, etc.), and one numeric character (0–9);

30-, 60-, or 90-day password change requirement;

unique password history requirement (the last 10 passwords);

common word restriction policy (such as that your name, user ID, the word “password,” etc., cannot be used or be any part of your password);

Limited password attempts (on many stronger systems, three failed attempts will lock out your account, requiring you to reset your password through controlled validations or requiring you to call or contact technical support to unlock your account once your identity has been thoroughly validated).

Password Best Practice

Here are a few tips for creating strong passwords:

Must be at least 20 characters in length

Contains lowercase letters

Contains uppercase letters

Contains numbers

Contains symbols like {+ _ - ∗ & ^ % $ # @ ! ∼ ’ “ ; : / | , < > ? }

Does not include your date of birth

Does not include your name, either the first name, last name, or middle name

Does not include any of your family member names

Is not your girlfriend’s or boyfriend’s name

Does not include a sequence of letters like abcdefgh or a sequence of numbers like 123456

Does not include places, names, cites, countries, street names, and so on

Is not found in a dictionary (like school, tree, hotel, swim, etc.)

Is not a common name (like famous movie names, famous actors, political leaders, and famous people worldwide, etc.)

Is not like your old passwords

Do not use a free online service or any automated tool to generate your most important passwords like a bank account password or your medical health record online

Change your password regularly

Don’t store your password or passphrase within web applications (like web browsers).

Password Management Tools

The best choice for managing a large number of strong passwords is to use a secure password management tool. Earlier we mentioned Password Safe from sourceforge.net (http://sourceforge.net/projects/passwordsafe). Other similar free password managers are Password Corral from Cygnus Productions (www.cygnuspro-ductions.com/freeware/pc.asp) and KeePass from sourceforce.net (http://keepass.sourceforge.net/).

All three will generate strong passwords, and then store them for you in an encrypted file protected by a master pass phrase. With a tool like this, you can have different passwords for each system you use, but only need to remember the password to unlock the password manager. This is ideal, because the passwords for your databases can be randomly generated and impossible to remember. You only need to generate one strong password for yourself. If pass phrases are allowed (long strings with spaces), it is preferable to use a sentence. Pick your favorite line from a movie or part of the chorus of your favorite song, add some punctuation or mix in some uppercase letters and you’ve got yourself a passphrase. For example, this would make a nice pass phrase “It’S a SiciliaN message. IT means LucA brasi Sleeps with ThE fishes.”

Securing the Listener Configuration

☑

Make sure Listener Security is enabled by setting a strong password for each TNS Listener in your environment. By setting a password (and thus enabling Listener Security), you restrict the ability to run any Listener commands to those people who know the password.

Enable ADMIN_RESTRICTIONS on each and every Listener on your network. ADMIN RESTRICTIONS blocks all SET commands from running, forcing you to administer the Listener locally by modifying the listener.ora file. This blocks anyone from remotely administering the Listener, a capability which when put into the wrong hands can quickly compromise your database.

Enable Listener Logging and regularly review the log files. The Listener logs all sorts of important security information, such as which hosts are connecting to the database, who is administering the Listener (or trying to and failing because of your security controls), and what external procedures are being run.

Remove any ExtProc entries from your primary Listener (the one that handles connections to the database). Instead, set up a dedicated Listener that runs with a minimally privileged account to run ExtProc. If you are not actively using ExtProc, make sure the feature is disabled by removing ExtProc entries from all Listeners.

Configuring Password Strength

To create an effective security policy, you must make sure users create strong and unique passwords. You can configure a policy that requires strong passwords by making certain the passwords:

Are a certain length (the default minimum is six characters)

Use more than one character type (the default is three character types)

Are not palindromes (palindromes are words that can be read the same forward or backwards, such as refer or racecar)

Table 5.1 describes the available password strength options.

Table 5.1. Password Strength Options

In the system tree, click Configuration | Security And Access | Password And Account Management Controls to access the Password And Account Management screen. To set the minimum password length, complete the following steps:

Under Strong Passwords, in the Minimum Password Length field, specify the length.

Click Apply and then click Save.

To set the number of character types required in a password, complete the following steps:

Under Strong Passwords, select the number of character types you want to enforce in passwords.

Click Apply and then click Save.

To configure the palindrome check, complete the following steps:

Under Strong Passwords, next to Check For Passwords That Are Palindromes, click On.

Click Apply and then click Save.