|
How to...find password perfection One day they'll teach password creation skills at school. Until
then, here are some tips to pass on to your users. By Peter
H. Gregory, Computerworld (US) |
|
|
The use of
good, hard-to-guess passwords can make it difficult for a malicious hacker to
break into your computer account. Avoiding predictable keywords and using
different methods to introduce variety into your passwords makes it easy for
you to remember them but virtually impossible for others to guess them. Tips for creating winning passwords Example phrases associated with a birth
might be blueeyes, hurry, onemorepush, crankyRN, coldbracelet, roomsix and
icechips. Ideas associated with a new car could be deepblue, 6CDs, 5speed and
TiresThatGrip. The idea here is that you use a variety
of words associated with an event that other people would not readily guess.
Remember that you may also need to mix in uppercase letters and numbers when
you create a new password. For instance, "hurry" could become
hUrry66 or Hur5ry. Substitute numbers for letters based
upon their appearance. With a little imagination, you can visualize numbers
that bear resemblance to letters. So: 1=L, 2=Z, 3=E, 4=A, 5=S, 6=b, 7=Z, 8=B,
9=g, 0=O. When you create a password, substitute a number where a letter
would appear, according to the chart above. Some examples: * scuba becomes 5cu8a * water becomes w4t3r * icecream becomes 1c3cr34m Substitute numbers for letters based
upon their location on the keyboard. The uppermost row of letters on the
keyboard, QWERTYUIOP, has a row of numbers right above it: 1234567890. So:
1=Q, 2=W, 3=E, 4=R, 5=T, 6=Y, 7=U, 8=I, 9=O, 0=P. Some examples: * scuba becomes sc7ba * purple becomes 07r0l3 * rocket becomes 49ck35 Consistently capitalize the nth
letter(s) of your password. Some systems require that at least one character
be uppercase. Many people capitalize the first character, but this is too
predictable. Instead, always capitalize the second, third or fourth letter,
or perhaps always the last or next-to-last. Some examples: huRry, roCky, puRple,
roCket. For further interest, you can
capitalize more than one letter, for instance the first and third, or the
second and fourth. Avoid predictable week-to-week or
month-to-month changes. One example of a predictable pattern to avoid:
eyesJan01, eyesFeb02, eyesMar03, etc. If someone was lucky enough to discover
your password long ago, you don't want him to be able to predict what it will
be in the future. Store passwords in Counterpane Labs'
Password Safe tool. All passwords are encrypted with the robust Blowfish
algorithm. A nifty feature of Password Safe is that when you double-click on
a previously stored password entry, it silently copies it to the clipboard so
you can paste in the password even if others are watching you type. Check the quality of your password at
SecurityStats.com. This Web site performs calculations based on the
complexity and "guessability" of your password and tells you how
good your password is. Remember that your password is transmitted over the
Internet in the clear, so you should try similar passwords instead of your
actual passwords to get an idea of the characteristics of a good one. Adopt ISO17799 password quality
guidelines. Ask the IT department to implement best practices for password
management in accordance with ISO17799, a widely recognized information
security standard. According to the standard, here are some guidelines for
passwords: * They should be at least six
characters long. * They should be free of consecutive
identical characters. * Don't use all numbers or all letters.
* Avoid reusing or recycling old
passwords. * Require that passwords be changed at
regular intervals. * Force users to change temporary
passwords at the next log-on. * Maintain a record of previous user
passwords and prevent their reuse. * Change all vendor default passwords. * Eliminate or lock shared-user
accounts. Warning: Don't use any of the password
examples that appear in this article! A note about password length: Some
information security (infosec) professionals will bristle at ISO17799's
recommendation for a mere six characters in a password. Some have told me
that six characters are insufficient, based on the time it takes to crack a
password. My response is this: Typically, hackers don't care about the length
of passwords when choosing to crack open a computer account. Organizations are rife with guest
accounts, group accounts, accounts with no passwords, a lack of password
expirations, passwords that can be easily guessed and opportunities to
exploit technical weaknesses or perform social engineering. With all of these
easy opportunities, computer accounts with good six-character passwords are
only a trifle weaker than those with eight-character passwords. My point is
that infosec professionals need to focus more on the compliance of good
user-account hygiene than on the length of passwords.
|
Retrieved from Techworld Infrastructure and network
Knowledge Centre http://www.techworld.com/features/index.cfm?fuseaction=displayfeature&featureid=110&CFID=6344064&CFTOKEN=78332711
on