Protecting passwords from brute force and dictionary attacks requires numerous security precautions and rigid adherence to a strong security policy.
First, physical access to systems must be controlled.
Second, tightly control and monitor electronic access to password files. End users and non– account administrators have no need to access the password database file for normal daily work tasks.
Third, craft a password policy that programmatic ally enforces strong passwords and prescribe means by which end users can create stronger passwords. The stronger and longer the password, the longer it will take for it to be discovered in a brute force attack. Thus, changing passwords regularly is required to maintain security. Static passwords older than 30 days should be considered compromised even if no other aspect of a security breach has been discovered.
Fourth, deploy two-factor authentication, such as using biometrics or token devices.
Fifth, use account lockout controls to prevent brute force and dictionary attacks against logon prompts. For those systems and services that don’t support account lockout controls, such as most FTP servers, employ extensive logging and an IDS to look for attempted fast and slow password attacks.
Sixth, encrypt password files with the strongest encryption available for your OS. Maintain rigid control over all media that have a copy of the password database file, such as backup tapes and some types of boot or repair disks.
Reference:
Sybex Study Guide for CISSP
