Page 965 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 965

Password Length The length is the number of characters in the
               password. Shorter passwords are easier to crack. As an example, a

               password cracker application running on a single computer can
               discover a complex five-character password in less than a second but it
               takes thousands of years to crack a complex 12-character password. Of
               course, different computers have different computing power, and it’s
               possible to create multiple computers in a parallel processing system
               that can crack passwords much quicker. However, the point is that
               longer passwords are harder to crack than shorter passwords. NIST SP

               800-63B states that passwords should be at least eight characters
               long, and systems should support passwords as long as 64 characters.
               Many organizations require privileged account passwords to be longer,
               such as at least 15 characters long.



                  Password Length and Complexity Recommendations



                  Passwords should be long, and the longer they are, the harder they
                  are to discover. However, how long should a password be? It
                  depends on who you ask. NIST SP 800-63B says that passwords
                  should be at least eight characters long and support the use of any
                  printable ASCII characters, and systems should support passwords
                  of at least 64 characters long. It also recommends hashing the

                  password using random salts of at least 32 bits in length and
                  storing the salted hash of the password.

                  How long should passwords for privileged accounts be? That also
                  depends on who you ask. NIST SP 800-63B indicates that if an
                  account needs stronger protection, an additional authentication
                  factor, such as a smart card (described later in this chapter),
                  should be added. That’s not always possible, so many organizations

                  choose to require privileged accounts to use longer passwords of 14
                  or 15 characters.



               Password History Many users get into the habit of rotating between
               two passwords. A password history remembers a certain number of
               previous passwords and prevents users from reusing a password in the
               history. This is often combined with a minimum password age setting,
   960   961   962   963   964   965   966   967   968   969   970