Got a question? Call 1800 853 276   |   

The current trend for secure passwords is that we pick a word, change some of the characters around, and come up with what we believe is a good password, for example, picking on the word ‘password’, we might be tempted to turn it into a complex password by changing it to use upper case, lower case, special characters and numbers resulting in: Pa$$w0rd. This will comply with an 8-character complex password policy.

To make matters worse, the IT department may insist on us changing our password every 30 or 40 days. This encourages us to pick a simple short term memorable password which will contain an acquaintance’s name and date. If, for example, we might have a friend named Mary who we know was born in 10 December 1995, we could use the password Mary10Dec1995. This will comply with the Microsoft complex password policy requiring three of the four upper and lower case, special characters and numbers, but a simple search of a user’s social media pages exposes such a password.

So, what should we do?At work, the password policy is managed by your Domain Administrator. While your admin may require a complex ten-character password, you are not restricted in making it more complex. A password greater than 14 characters makes it more difficult for hackers to extract your password from a computer without keyloggers, as the time-honoured LAN Manager / New Technology LAN Manager hashing system then stores an invalid hash of the password which cannot be used to authenticate the user. In this case, we force Kerberos authentication, which may stop us connecting to NT4/Windows98 machines, but these days it would be pretty rare.

For users, then: create a pass phrase. A pass phrase such as, ‘I have 2 pets, a cat named Fluffy and a dog named Woofy’ would take a lot longer to crack as it has 55 characters and complies with complexity requirements. We would, of course, not use the names of our pets, but this is just an example of how we can formulate our passwords.

For administrators: Increase the password expiry to 90 or 120 days, and run L0phtCrack – with the permission of management, of course – after which a password change for users would be necessary. This will expose weak passwords generated by users. Service passwords should be using Managed Service Accounts, which on a Microsoft system generates passwords greater than 100 characters every 30 days for those services using the Managed Service Account system.

Stay safe,Terry Griffin

Feature Articles

Our AIICT brand expands portfolio with ten new courses to help address ICT skills shortage
The Australian Institute of ICT (AIICT) has introduced a new series of industry certified bootcamp programs and nationally-recognised qualifications to meet the surging demand for skilled ICT professionals in Australia.  The bootcamps support the Morrison Government’s recently announced Digital Skills Organisation (DSO) pilot, which recognises the importance of non-accredited training to support the development of skills of the future workforce. The bootcamp programs run for six months and comprise of several vendor-specific certifications. The courses include ‘Cloud Computing Certified Professional’, ‘Certified Microsoft Full Stack Developer’, ‘Certified Artificial Intelligence Professional’, ‘Growth Marketing Professional’ and ‘Certified Project Management Professional’. The decision to introduce the bootcamps follows the VET sector’s increasing move away from nationally recognised qualifications to vendor-specific, industry-certified training. According to the National Centre for Vocational Education Research, preference for accredited training courses has declined steadily in recent years, with employers increasingly less satisfied that these courses provide their employees with the most relevant and important skills for their business. This has led many organisations to preference non-accredited training provided by private technology vendors such as Microsoft and AWS.