Password Security

David Groth's "Network+ Study Guide" says this about choosing passwords:

"Do not use just a regular word preceded or ended by a special character.
Good crack programs strip off the leading and trailing characters in their
decryption attempts."

This confuses me. How could a crack program strip off leading and trailing
characters? I thought that crack programs only try to guess. Do the programs simply try to guess what leading and trailing characters might be and add them to their dictionary words?
The guide also says that passwords should be changed every 30 days or so, as many sources recommend. But the more I think about this, the less sense it makes. If a password is strong, what's the point of changing it? If a password has been cracked or leaked, wouldn't it be exploited immediately? Wouldn't it be too late to change a password once the security has been compromised? This policy could allow crackers a month of unauthorized access.
It seems to me the real issue would be how the password was known in the first place. Either it was not a strong password or someone was careless with it. Changing the password every 30 days would be side-stepping the real problem of insecure passwords. It's like changing the locks on your doors every month rather than getting better locks. Can anyone set me straight? Thanks.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Webmaster

I noticed your post has been answered in the alt network+ newsgroup already, but here goes:

orthicon wrote:

Do the programs simply try to guess what leading and trailing characters might be and add them to their dictionary words?

Yes, and people tend to think that 123 to a word helps, the program might know that and try the most common leading and trailing characters first.

If a password has been cracked or leaked, wouldn't it be exploited immediately?

Probably, but the exploit can go on for years without anyone knowing except the attacker.

Wouldn't it be too late to change a password once the security has been compromised?

A big fat YES. Plus how do you know security has been compromised, the attacker might just be looking for senstive information. Every company has such information, not only banks etc.

This policy could allow crackers a month of unauthorized access.

only when the attempt is made on the first day of these 30 days and if the atatcker succeeds within the first day... not likely, but possible, thats why you have to make sure the password is strong.

On a side note: I worked at several large enterprises and 60 days is more common than 30.

It seems to me the real issue would be how the password was known in the first place. Either it was not a strong password or someone was careless with it. Changing the password every 30 days would be side-stepping the real problem of insecure passwords. It's like changing the locks on your doors every month rather than getting better locks.

There are (too) many ways to find out the password, also strong passwords from careful users (on weak software filled with holes for example, no I'm not referring to MS, I'm referring to virtually every available piece of software.)

Obviously the authentication method (the "lock") used in this situation is username/password, if you have to deal with that (because the company can't afford to, or simply won't buy smartcards or a full-blown biometric system using finger prints and facial recognition) the practice of changing the password regularly is widely accepted as good practice.

Remember though that there are no 100% secure locks available, all available locks offer "some security".

Not sure if it is the same in the US, but our pay TV system uses a "decoder" that changes the code frequently... they don't know many people are watching their channel without paying using a home-build decoder, they just assume...

Can anyone set me straight? Thanks

You're welcome

RussS

Excellent explaination Webmaster