Page 967 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 967
Using a passphrase has several benefits. It is easy to remember, and it
encourages users to create longer passwords. Longer passwords are
more difficult to crack using a brute-force tool. Encouraging users to
create passphrases also helps ensure that they don’t use common,
predictable passwords such as “password” and “123456.”
Online authentication systems often impose complex rules on users
requiring them to use a minimum number of uppercase letters,
lowercase letters, numbers, and special characters. One way to meet
the requirements of these rules is to replace letters with characters or
numbers. As an example, the letter a can be replaced with the @
character, and the letter i can be replaced with the number 1. This
effectively changes “IPassedTheCISSPExam” to
“1P@ssedTheC1SSPEx@m.”
It’s worth noting that some security experts recommend
that security policies do not require users to create excessively
complex or lengthy passwords. NIST SP 800-63B mentions how
these often frustrate users and force them to write their passwords
down or store them in nonsecure files. Instead of complex rules,
NIST SP 800-63B suggests comparing a user’s password against a
list of commonly known simple passwords and rejecting the
commonly known passwords. It also recommends salting
passwords with a random value, hashing the result, and storing the
hash.
Cognitive Passwords
Another password mechanism is the cognitive password. A cognitive
password is a series of challenge questions about facts or predefined
responses that only the subject should know. Authentication systems
often collect the answers to these questions during the initial
registration of the account, but they can be collected or modified later.
As an example, the subject might be asked three to five questions such
as these when creating an account:
What is your birth date?
