Passwords are a critical line of defense between your sensitive data and prying eyes, so separating fact from fiction about password security is a must Over the past few years, companies have increasingly adopted considerably stronger password policies. Unfortunately, there’s still ample confusion in how to strengthen password policies and to mitigate password-focused attacks. I found dozens of mistakes in various security portals’ password-hacking whitepapers, seen respected security vendors recommending incorrect mitigations to conflated attacks, and took note of highly knowledgeable security teams operating on mistaken assumptions.I understand the confusion: There are many different types of password attacks (and defenses) and so much incorrect information on the Internet. The following are a few myths about password security that often surprise even the most seasoned security admins.[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]For starters, many admins think that password information retrieved from locally stored Windows profiles can be used in pass-the-hash attacks. In reality, the password verifiers stored in local profiles are extremely resilient against cracking — up to tens of thousands of times harder to crack than a normal password hashes. What’s more, they can’t be used in pass-the-hash attacks at all. Another common misconception: Any Windows password up to 14 characters in length can be quickly cracked using rainbow tables and clouds of GPU-equipped, superfast computers. In fact, if the LAN Manager hash is disabled, even 10- to 12-character passwords are extremely tough to crack.Most password enforcers think that complexity beats length when strengthening password policies. It only works that way in the classroom. In the real world, length will give you far more protection than complexity; though you may give users 64,000 different symbols to choose among for their password, most people use the same 40 or so characters. Yet another common misconception is that password hashes or passwords can be retrieved from server memory for users accessing files on password-protected drive shares. This is not true, at least for Windows file sharing, although relevant password information can be retrieved for interactively logged-on users.Contrary to popular belief among many admins, smart cards and Kerberos can’t prevent all forms of password hacking. Organizations should certainly strive to embrace both types of improved authentication, as they defeat many attack classes. But you should know exactly what you are and aren’t defeating as you expend resources and efforts in your new authentication projects.The aforementioned myths are but a sampling of the misinformation out there. Fortunately, there are plenty of defenses you can add to your list of security policies to keep your systems and data safe. For example: Increase the minimum length for end-user passwords to 12 characters — and 15 characters for admins. Don’t enter your password on untrusted computers, and never use the same password for different systems. Disable weak password hashes and authentication protocols, such as LAN Manager and NTLM Version 1.0. Consider two-factor authentication. Sniff out and remove plaintext passwords on your network. Improve end-user education — including a lesson on phishing — to prevent password attacks. Keep your software current and patched to ensure the programs contain the latest security fixes and defenses.The myths I’ve dispelled here and tips I’ve offered are just the tip of the iceberg when it come to understanding and preventing password-oriented attacks. Still, they should help in the ongoing fight to keep the bad guys out of your systems.This story, “Five password-security myths dispelled,” was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe