Strong passwords

The role that passwords play in securing an organization’s network is often underestimated and overlooked. Passwords provide the first line of defense against unauthorized access to your account. If your password is blank or weal in nature, you will not be able to access your account over the network.

STIUNet uses Microsoft Active Directory as its backend infrastructure. Consequently, all account passwords must meet the complexity requirements set forth by Microsoft (outlined below).

Weak passwords provide attackers with easy access to your computers and network, while strong passwords are considerably harder to crack, even with the password-cracking software that is available today. Password-cracking tools continue to improve, and the computers that are used to crack passwords are more powerful than ever. Password-cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and brute-force automated attacks that try every possible combination of characters. Given enough time, the automated method can crack any password. However, strong passwords are much harder to crack than weak passwords. A secure computer has strong passwords for all user accounts.

A weak password:

  • Is no password at all.
  • Contains your user name, real name, or company name.
  • Contains a complete dictionary word. For example, Password is a weak password.

A strong password:

  • Is at least seven characters long.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete dictionary word.
  • Is significantly different from previous passwords. Passwords that increment (Password1Password2Password3 …) are not strong.
  • Contains characters from each of the following four groups:
Uppercase lettersA, B, C …
Lowercase lettersa, b, c …
Numerals0, 1,2, 3, 4, 5, 6, 7, 8, 9
Symbols found on the keyboard (all keyboard characters not defined as letters or numerals)` ~ ! @ # $ % ^ & * ( ) _ + – = { } | \ : ” ; ‘ < > ? , . /

An example of a strong password is J*p2leO4>F.

A password can meet most of the criteria of a strong password but still be rather weak. For example, Hello2U!is a relatively weak password even though it meets most of the criteria for a strong password and also meets the complexity requirements of password policy. H!elZl2o is a strong password because the dictionary word is interspersed with symbols, numbers, and other letters. It is important to educate users about the benefits of using strong passwords and to teach them how to create passwords that are actually strong.

You can create passwords that contain characters from the extended ASCII character set. Using extended ASCII characters increases the number of characters that you can choose when you create a password. As a result, it might take more time for password-cracking software to crack passwords that contain these extended ASCII characters than it does to crack other passwords. Before using extended ASCII characters in your password, test them thoroughly to make sure that passwords containing extended ASCII characters are compatible with the applications that your organization uses. Be especially cautious about using extended ASCII characters in passwords if your organization uses several different operating systems.

You can find extended ASCII characters in Character Map. Some extended ASCII characters should not be used in passwords. Do not use a character if a keystroke is not defined for it in the lower-right corner of the Character Map dialog box. For more information about how to use Character Map, see Using Character Map.

Examples of passwords that contain characters from the extended ASCII character set are kUµ!¶0o and Wf©$0k#»g¤5ªrd.

Source: Microsoft Documentation on Strong Passwords