Security – How to manage your passwords

Most places uses two sets of passwords: On-line authentication and off-line passwords. On-line authentication is typically done with an authentication/authorization (AA) system like Kerberos. Each administrator user is assigned the proper tokens and access rights on the servers

For off-line administration of critical systems the root passwords are stored separately (in our case in a physically disconnected system). All access to the password list is logged, and the user needs to enter a motivation for retrieving the root password of a server. Previously the off-line password list was a printed list stored in a safe.

When provisioning a VM you can typically settle for not having any root password, and just assign on-line authentication/authorization. It's very unlikely that you need to administrate VM machines when your AA servers are off-line.

Let's do a quick calculation (and forget best practices for a moment):

Assume a timeframe of six months for an attacker to hack your system. Let's also assume, that passwords are randomly chosen from a character set of size 62.

Scenario 1: You use a 9 character password for the entire six months.

Scenario 2: You use a 9 character password for the first three months, and a different 9 character password for the remaining three monts.

Scenario 3: You use a 10 character password for the entire six months.

In Scenario 1, a brute force attacker hacks your account with 100% certainty, if he can do 62^9 attempts in that time.

In Scenario 2, if he can do only (62^9)/2 attemps in half the time (three months), he'll hack the account with 50% certainty. In the second half, he'll get another chance with 50% certainty. So statistically, he'll hack the account with 75% certainty.

In Scenario 3, he'll have 62^9 attempts for the entire six months. But there are 62^10 possibilities. So he'll hack the account only with 1/62 certainty, that's about 1.6%.

So if we leave all other factors out (like stolen passwords and other kinds of attacks), the recommendation would be to rather choose longer passwords than using shorter (or simpler) passwords, even if they're changed more often. Especially, because in Scenario 3, there are only 10 characters to remember, while in Scenario 2, it's 18 characters.