...... TECH TOOLS - MARCH 2005

......
CREATING CRACK RESISTANT PASSWORDS
Your password is the key to your computer - a key much sought-after by hackers as a means of getting into your system. A weak password may give a hacker access not only to your computer, but to the entire network to which your computer is connected.
Your computer password is the gateway of your computer security, and it needs to vigilantly guard against the tools that hackers have for cracking it.

Did you know that a six-letter password, using all lower case (or all upper case) letters, has just 308 million possible configurations that can be easily broken within two minutes by automated password cracking programs that hackers can download from the Internet?

Most passwords can be easily guessed, especially if a hacker knows something about their target’s background. It's surprisingly common for office workers to use the word "password" to enter their office networks. Other commonly used passwords are the computer user's first, last, child, or pet's name,  Other common choices are repeated characters such as 1111222 or ababab or favorite sports teams.

If you increase your password from six to eight letters, and use both upper and lower case letters, there are now 53 trillion possible combinations. And, if you substitute a number for one of the letters, then there are 218 trillion possible combinations.

Finally, substitute a special character or punctuation - such as #, %, ?, ~, @ - for another one of the letters, and the password has 6,095 trillion possible configurations. Since most programs require a password of 6 to 8 characters, this would be your strongest type of password; at least eight characters, including at least one upper case letter, one lower case letter, a number, and a special character or punctuation. It's still crackable (anything is), but would required a much more sophisticated program, a more powerful computer, and a lot more time to do so.

What's an easy way to create a strong password?  You can create a password from a passphrase.  A passphrase is something you can easily remember like a song title, slogan, or other phrase. Take the first letter of each word of the phrase to make up your password.  Use both upper and lower case letters, then substitute characters for words - such as 2 for the word to or 4 for the word for.  Put some creative thought into it.  You could also use the character $ for the letter S.  

Here's an example - your passphrase might be: “Do You Know The Way To San Jose” and the password could be:  dYktW2$j   Check this password out by running it through the Password Security Check listed at the bottom of this page.  While you're at it, try running some of the passwords you're currently using as well.
Here are some simple guidelines for creating a strong password...
  • It should contain at least eight characters.
  • It should contain a mix of four different types of characters - upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;"
  • If there is only one letter or special character, it should not be either the first or last character in the password.
  • It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your email address.
  • You should be able to type it quickly, so that someone looking over your shoulder cannot readily see what you have typed.
  • Try to create passwords that can be easily remembered. Create a password from an easily remembered passphrase.
  • It should be changed at least every 90 days to keep undetected intruders from continuing to use it.

Almost all programs that store passwords in encrypted format store the last character in the clear (it can be seen).  All password cracking programs know this, so that means one less character for them to crack. This is why numbers and special characters should not be the first or last characters of your password.

The password used for logging on to your office computer should be different from the password you use to log in to a web site on the Internet. Passwords used to log in to a web site are far more exposed to hackers.  Any time you log in over an external network, your password is vulnerable to being stolen unless it is encrypted. Using a separate and unique password for your office computer helps protect the security of the office network.

Once you have selected an effective password, protect it. Resist the temptation to write your password down. If you must, keep it with you until you remember it, then burn it!  NEVER leave a password taped to your monitor. You should have different passwords for different accounts, but not so many passwords that you can't remember them all.

Do not disclose your password to anyone, not even to your systems administrator or maintenance technician. They don't need to know it. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. Do not allow anyone to observe your password as you enter it during the logon process.

Use a password-locked screensaver to make certain no one can perform any activity under your User ID while you are away from your desk. Screensavers can be set up so that they activate after the computer has been idle for a while.  Someone coming around to erase or sabotage someone else's work is not uncommon.   Just think of the trouble you could have if an offensive email was sent to your boss or co-workers from your computer, or if your computer was used to transfer illegal files, or download pornography.  Who wants to try to explain something like that? 

Most screensavers already have a password protection option that's easy to access.  If you're a Windows user, go to your Control Panel, select Display (or Display Properties), click the Screen Saver tab, select which screen saver you prefer, select how much idle time must elapse before the screensaver activates, then click into the box that reads, "On resume, password protect".
Finally, here is a list of password "don'ts"...

  • Don’t use your first, middle or last name or anyone else’s in any form. Do not use your initials or any nicknames you may have or anyone else’s.
  • Don’t use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations.
  • Don’t use other information easily obtained about you. This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
  • Don’t reveal a password over the phone to ANYONE.
  • Don’t reveal a password in an email message.
  • Don’t talk about a password in front of others.
  • Don’t hint at the format of a password (e.g., “my family name”).
  • Don’t reveal a password on questionnaires or security forms.
  • Don’t share a password with family members.
  • Don’t reveal a password to co-workers while on vacation.
  • Don’t write a password in an obvious place that is accessible to others.
  • Don’t use the "Remember Password" feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
  • Don’t store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
ONLINE RESOURCE
Password Security Check - Think you've come up with a strong password that's hard to hack?  Go to this site, enter your password, and find out how secure it really is!  http://www.securitystats.com/tools/password.php
< <  BACK TO TOOLS INDEX


 

©2000 - 2006 Skylinewebs - All rights reserved - Comments to Webmistress
The material on this site is protected by US Copyright Laws and cannot be used, nor links created to, any page on this site with out the express written consent of Skylinewebs.