Share via

The Importance of Using Strong Passwords

The Importance of Using Strong Passwords

The use of strong passwords can slow or often defeat the various attack methods of compromising a terminal’s security.

Although many alternatives for user authentication are available today, most users log on to their computer and on to remote computers using a combination of their user name and a password typed at their keyboard. Some retailers will configure their Point of Service terminals to auto login on boot. Some retailers will allow the user to select their own password. To make it easier to remember their passwords, users often use the same or similar passwords on each system; and given a choice, most users will select a very simple and easy-to-remember password such as their birthday, their mother's maiden name, or the name of a relative. Short and simple passwords are relatively easy for attackers to determine. Some common methods that attackers use for discovering a victim's password include:

  • Guessing—The attacker attempts to log on using the user's account by repeatedly guessing likely words and phrases such as their children's names, their city of birth, and local sports teams.
  • Online Dictionary Attack—The attacker uses an automated program that includes a text file of words. The program repeatedly attempts to log on to the target system using a different word from the text file on each try.
  • Offline Dictionary Attack—Similar to the online dictionary attack, the attacker gets a copy of the file where the hashed or encrypted copy of user accounts and passwords are stored and uses an automated program to determine what the password is for each account. This type of attack can be completed very quickly once the attacker has managed to get a copy of the password file.
  • Offline Brute Force Attack—This is a variation of the dictionary attacks, but it is designed to determine passwords that may not be included in the text file used in those attacks. Although a brute force attack can be attempted online, due to network bandwidth and latency they are usually undertaken offline using a copy of the target system's password file. In a brute force attack, the attacker uses an automated program that generates hashes or encrypted values for all possible passwords and compares them to the values in the password file.

Each of these attack methods can be slowed down significantly or even defeated through the use of strong passwords. Therefore, whenever possible, computer users should use strong passwords for all of their computer accounts. Computers running Windows Embedded for Point of Service (WEPOS) support strong passwords.

Passwords are case-sensitive and may contain as many as 127 characters. A strong password:

  • Does not contain the user name.
  • Is at least six characters long.
  • Contains characters from three of the following four groups:
Description Examples
Lowercase letters a, b, c,...
Uppercase letters A, B, C,...
Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols (all characters not defined as letters or numerals) ` ~ ! @ # $ % ^ & * ( ) _ + -={ } | [ ] \ : " ; ' < > ? , . /

© 2006 Microsoft Corporation. All rights reserved.