What is a good password? Well, that depends who the password is for and what the password is protecting. For a normal system user that only has access to limited amounts of information, services and software, the most important thing about a password is that it’s hard to guess and that they protect it properly. What can an outsider really get at, anyway, if they have a user level password? If the network is set up properly, an attacker can’t get to the internal network from the Internet. All they can get at are things in the DMZ like e-mail and web servers, right? And if the users are doing things right, any private sensitive information in their e-mail messages is strongly encrypted, so even if an attacker gets into the DMZ servers all they get is some information that is ancillary at best. So, for a normal system user the old eight digit password that uses all the different types of characters, isn’t a dictionary word, isn’t your wife’s middle name, etc. is just fine.
But, how about the folks who have system admin level access or who are granted remote access privileges? What is a good password for them? In my opinion, there is no such thing! No user name and password on their own, with no other authentication mechanism, is good enough for these levels of access. All the passwords in the world are still just something you know. You must use something you are or something you have to further authenticate yourself.
If a user has remote access privileges and their only authentication mechanism is a user name and password, what happens if it is intercepted or stolen? The attacker suddenly has a way into the internal network! Then they can use that password to get at juicier tidbits of information than they could find on an e-mail server. We all know that internal networks are never as well set up and secure as external networks. But even then the attacker will be limited to the information and services available at the user’s privilege level. Maybe the attacker can run some exploits or elevate their privileges a bit; that depends on just how poorly the internal network is secured.
But what if an attacker gets their hands on a system admin level user name and password, gets into the internal network, and there is no other authentication mechanism needed? Well, then, it’s pretty much game over! They can grab the password hashes, get at private information, set privileges, install Malware, erase records of their presence; pretty much anything they want!
So, if you are a normal user, make difficult to guess passwords and don’t let anybody else at them. If you are a remote user, use a strong password, but also use a token or something similar. If you are a system admin, you can’t use too many authentication mechanisms and they can’t be too strong! Use strong and long passphrases instead of simple passwords, change them every 30 days, use tokens, use positive IP checking, use software clients, use whatever you can get. But don’t just rely on your user name and password!