Lab – Create and Store Strong Passwords

Objectives
Understand the concepts behind a strong password.
Part 1: Explore the concepts behind creating a strong password.
Part 2: Explore the concepts behind securely storing your passwords?

Background / Scenario
Passwords are widely used to enforce access to resources. Attackers will use many techniques to learn
users’ passwords and gain unauthorized access to a resource or data.
To better protect yourself, it is important to understand what makes a strong password and how to store it
securely.

Required Resources
 PC or mobile device with Internet access

Part 1: Creating a Strong Password

Strong passwords have four main requirements listed in order of importance:
1) The user can easily remember the password.
2) It is not trivial for any other person to guess a password.
3) It is not trivial for a program to guess or discover a password.
4) Must be complex, containing numbers, symbols and a mix of upper case and lower case letters.
Based on the list above, the first requirement is probably the most important because you need to be able to
remember your password. For example, the password #4ssFrX^-aartPOknx25_70!xAdk<d! is considered a
strong password because it satisfies the last three requirements, but it is very difficult to remember.
Many organizations require passwords to contain a combination of numbers, symbols, and lower and upper
case letters. Passwords that conform to that policy are fine as long as they are easy for the user to remember.
Below is a sample password policy set for a typical organization:
 The password must be at least 8 characters long
 The password must contain upper- and lower-case letters
 The password must contain a number
 The password must contain a non-alphanumeric character

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 3 www.netacad.com
Lab – Create and Store Strong Passwords

Take a moment to analyze the characteristics of a strong password and the common password policy set
shown above. Why does the policy set neglect the first two items? Explain.
Menambahkan simbol, angka, dan campuran huruf besar / kecil ke kata sandi akan mempersulit pengguna
untuk mengingatnya. Secara tradisional, ketika pengguna menemukan kata sandi yang sesuai dengan
serangkaian kebijakan kata sandi tertentu, pengguna akan menggunakan kembali struktur yang sama atau
bahkan seluruh kata sandi melalui layanan lain. Beberapa sistem juga akan memaksa pengguna untuk
mengubah kata sandi secara berkala, mencegah pengguna menggunakan kembali kata sandi sebelumnya.
Pengguna tersebut juga sangat mungkin melakukan perubahan kecil pada kata sandi alih-alih membuat kata
sandi yang sama sekali berbeda yang masih sesuai dengan kebijakan kata sandi yang diberikan.
A good way to create strong passwords is to choose four or more random words and string them together.
The password televisionfrogbootschurch is stronger than J0n@than#81. Notice that while the second
password is in compliance with the policies described above, password cracker programs are very efficient at
guessing that type of password. While many password policy sets will not accept the first password,
televisionfrogbootschurch, it is much stronger than the second. It is easier for the user to remember
(especially is associated with an image), it is very long and its random factor makes it hard for password
crackers to guess it.
Using an online password creation tool, create passwords based on the common company password policy
set described above.
a. Open a web browser and go to http://passwordsgenerator.net
b. Select the options to conform to password policy set
c. Generate the password.
Is the password generated easy to remember?
kemungkinan besar kata sandi tidak akan mudah diingat.
Using an online password creation tool, create passwords based on random words. Notice that because
the words are appended together, they are not seen as dictionary words.
d. Open a web browser and go to http://preshing.com/20110811/xkcd-password-generator/
e. Generate a random word password by clicking Generate Another! at the top portion of the webpage.
f. Is the password generated easy to remember?
kemungkinan besar kata sandi tidak akan mudah diingat.

Part 2: Securely Storing Passwords

If the user chooses to use a password manager, the first strong password characteristic can be dropped
because the user has access to the password manager at all times. Notice that some users only trust their
passwords to their own memory. Password managers, either local or remote, must have a password store,
and it can be compromised.
The password manager password store must be strongly encrypted and access to it must be tightly
controlled. With mobile phone apps and web interfaces, cloud-based password managers provide anytime,
uninterrupted access to its users.
A popular password manager is Last Pass.
Create a trial Lastpass account:
a. Open a web browser and go to https://lastpass.com/
b. Click Start Trial to create a trial account.
c. Fill out the fields, as instructed.
d. Set a master password. This password gives you access to your LastPass account.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 3 www.netacad.com
Lab – Create and Store Strong Passwords

e. Download and install the LastPass’ client for your operating system.
f. Open the client and log in with your LastPass master password.
g. Explore LastPass password manager.
As you add passwords to Lastpass, where are the passwords stored?
Kata sandi disimpan di cloud, di server Lastpass.
Besides you, at least one other entity has access to your passwords. Who is that entity?
Lastpass
While having all your passwords stored on the same place can be convenient, there are drawbacks. Can
you think of any?
Server Lastpass menjadi target besar penyerang karena mengandung banyak kata sandi pengguna.
Tanggung jawab untuk menjaga kata sandi Anda sekarang didelegasikan kepada perusahaan pihak
ketiga yang tidak Anda kendalikan atas kebijakan keamanan mereka. Anda memilih untuk percaya bahwa
mereka melakukan pekerjaan yang baik dalam melindungi kata sandi Anda, tetapi tidak ada jaminan.

Part 3: What Is a Strong Password Then?

Using on the strong password characteristics given at the beginning of this lab, choose a password that is
easy to remember but hard to be guessed. Complex passwords are OK as long as it does not impact more
important requirements such as the ability to easily remember it.
If a password manager is used, the need to be easily remembered can be relaxed.
Below is a quick summary:
Choose a password you can remember.
Choose a password that someone else cannot associate with you.
Choose different passwords and never use the same password for different services.
Complex passwords are OK as long as it does not become harder to remember.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 3 www.netacad.com