Passwords are one of the most ubiquitous security controls that enterprises put in place. The use of a user ID and password combination is supposed to securely identify and authenticate users for system and data access. Without the use of strong passwords that are constructed according to a proper policy, the security that passwords supposedly supply quickly fails. There are three factors that must be considered when establishing passwords and password policies.

Why Passwords Fail

Passwords are not stored in clear text within a system. Instead they are saved in a format called a one-way hash, a special form of encryption that cannot be decrypted. When a password is entered, hashing is performed on the entry, and the entered and the stored hashes are compared. If they match, the password is accepted, if not, it is rejected.

As such, password cracking tools do not work character by character through a password. Instead, they test permutations and combinations of characters in order to find the matching hash. Invariably the first set of permutations and combinations used are standard dictionary words, and so using such words always creates weak passwords.