22.214.171.124 Lab – Create and Store Strong Passwords (Answers)
Understand the concepts behind a strong password.
Part 1: Explore the concepts behind creating a strong password.
Part 2: Explore the concepts behind securely storing your passwords?
Background / Scenario
Passwords are widely used to enforce access to resources. Attackers will use many techniques to learn users’ passwords and gain unauthorized access to a resource or data.
To better protect yourself, it is important to understand what makes a strong password and how to store it securely.
- PC or mobile device with Internet access
Part 1: Creating a Strong Password
Strong passwords have four main requirements listed in order of importance:
1) The user can easily remember the password.
2) It is not trivial for any other person to guess a password.
3) It is not trivial for a program to guess or discover a password.
4) Must be complex, containing numbers, symbols and a mix of upper case and lower case letters.
Based on the list above, the first requirement is probably the most important because you need to be able to remember your password. For example, the password #4ssFrX^-aartPOknx25_70!xAdk<d! is considered a strong password because it satisfies the last three requirements, but it is very difficult to remember.
Many organizations require passwords to contain a combination of numbers, symbols, and lower and upper case letters. Passwords that conform to that policy are fine as long as they are easy for the user to remember. Below is a sample password policy set for a typical organization:
• The password must be at least 8 characters long
• The password must contain upper- and lower-case letters
• The password must contain a number
• The password must contain a non-alphanumeric character
Take a moment to analyze the characteristics of a strong password and the common password policy set shown above. Why does the policy set neglect the first two items? Explain.
Adding symbols, numbers and mixed upper/lower case to a password makes it harder for the user to remember it. Traditionally, when a user finds a password that conforms to a specific set of password policies, the user will re-use the same structure or even the entire password through other services. Some systems will also force the user to change the password periodically, keeping users from using past passwords again. Those users are also very likely to introduce minor changes to the password instead of creating an entirely different password that still conforms to the given password policies.
A good way to create strong passwords is to choose four or more random words and string them together. The password televisionfrogbootschurch is stronger than [email protected]#81. Notice that while the second password is in compliance with the policies described above, password cracker programs are very efficient at guessing that type of password. While many password policy sets will not accept the first password, televisionfrogbootschurch, it is much stronger than the second. It is easier for the user to remember (especially is associated with an image), it is very long and its random factor makes it hard for password crackers to guess it.
Using an online password creation tool, create passwords based on the common company password policy set described above.
a. Open a web browser and go to http://passwordsgenerator.net
b. Select the options to conform to password policy set
c. Generate the password.
Is the password generated easy to remember?
Answers will vary. But it is very likely the password will not be easy to remember.
Using an online password creation tool, create passwords based on random words. Notice that because the words are appended together, they are not seen as dictionary words.
d. Open a web browser and go to http://preshing.com/20110811/xkcd-password-generator/
e. Generate a random word password by clicking Generate Another! at the top portion of the webpage.
f. Is the password generated easy to remember?
Answer will vary. But it is very likely the password will be easy to remember.
Part 2: Securely Storing Passwords
If the user chooses to use a password manager, the first strong password characteristic can be dropped because the user has access to the password manager at all times. Notice that some users only trust their passwords to their own memory. Password managers, either local or remote, must have a password store, and it can be compromised.
The password manager password store must be strongly encrypted and access to it must be tightly controlled. With mobile phone apps and web interfaces, cloud-based password managers provide anytime, uninterrupted access to its users.
A popular password manager is Last Pass.
Create a trial Lastpass account:
a. Open a web browser and go to https://lastpass.com/
b. Click Start Trial to create a trial account.
c. Fill out the fields, as instructed.
d. Set a master password. This password gives you access to your LastPass account.
e. Download and install the LastPass’ client for your operating system.
f. Open the client and log in with your LastPass master password.
g. Explore LastPass password manager.
As you add passwords to Lastpass, where are the passwords stored?
The passwords are stored on the cloud, on Lastpass’ servers.
Besides you, at least one other entity has access to your passwords. Who is that entity?
While having all your passwords stored on the same place can be convenient, there are drawbacks. Can you think of any?
Answers will vary. Lastpass’ servers become a big target for attackers as it contains many users’ passwords. The responsibility of maintaining your passwords were now delegated to a third party company which you have no control on their security policies. You choose to trust they are doing a good job at protecting your passwords but there’s no guarantees.
Part 3: What Is a Strong Password Then?
Using on the strong password characteristics given at the beginning of this lab, choose a password that is easy to remember but hard to be guessed. Complex passwords are OK as long as it does not impact more important requirements such as the ability to easily remember it.
If a password manager is used, the need to be easily remembered can be relaxed.
Below is a quick summary:
Choose a password you can remember.
Choose a password that someone else cannot associate with you.
Choose different passwords and never use the same password for different services.
Complex passwords are OK as long as it does not become harder to remember.