Page 966 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 966
preventing users from changing a password repeatedly until they can
set the password back to the original one. Minimum password age is
often set to one day.
Users often don’t understand the need for strong passwords. Even
when they do, they often don’t know to create strong passwords that
they can easily remember. The following suggestions can help them
create strong passwords:
Do not use any part of your name, logon name, email address,
employee number, national identification number or social security
number, phone number, extension, or any other identifying name
or code.
Do not use information available from social network profiles such
as a family member’s name, a pet’s name, or your birth date.
Do not use dictionary words (including words in foreign
dictionaries), slang, or industry acronyms.
Do use nonstandard capitalization and spelling, such as
stRongsecuRitee instead of strongsecurity.
Do replace letters with special characters and numbers, such as
stR0ng$ecuR1tee instead of strongsecurity.
In some environments, systems create initial passwords for user
accounts automatically. Often the generated password is a form of a
composition password, which includes two or more unrelated words
joined together with a number or symbol in between. Composition
passwords are easy for computers to generate, but they should not be
used for extended periods of time because they are vulnerable to
password-guessing attacks.
Password Phrases
A password mechanism that is more effective than a basic password is
a passphrase. A passphrase is a string of characters similar to a
password but that has unique meaning to the user. As an example, a
passphrase can be “I passed the CISSP exam.” Many authentication
systems do not support spaces, so this passphrase can be modified to
“IPassedTheCISSPExam.”
