|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| For those of you that would like
to understand some of the reason behind our push to increase the
complexity of the passwords, I?l try and explain briefly.
Passwords or access codes are a way of life in this day and age, but so to are the threats that come with the technology that requires us to use these access codes.? Code breakers have grown in sophistication over the years and much of their development coincides with technologies increase in computing power.? There are programs that have whole dictionaries behind them, which have changed as to include variations on word spelling (i.e. $ could replace dollar or S) and in many cases there are new more advanced methods being developed in how to crack encryption by brute force or by strategy.? Take for example some work done by the National Labor Relation Board on Password Cracking [1] .? Using a program (likely) found on the internet they cracked the word ?xchange in under a one second, yet by adding special characters and simples (some of which are memorable) they were able to increase the crack time to over 2100 hours. In addition to special characters misspelling is still very useful because it increase the number of possibilities exponentially, although with time, computing power, and new strategies, it is likely that spelling will not be an issue.? Most of this proves unnecessary for all but high-grade password cracking.? Passwords are most often based on what is personal (and therefore memorable) so research is often the key to understanding what possibilities are likely to be used in a password.? (Pets, phone numbers, family member names, etc.)? Effectively this means that anyone who wants to get into a network, account, computer, etc. can if they have the will, software, and the talent.? What does this mean for us?? We could play the game of completely randomizing all passwords in hopes to thwart all malevolent hackers.? Or even we could use some of the new technology that would use fingerprints to log into a computer.? Undoubtedly this would be somewhat effective if we had reason to be so suspicious.? The reality is that our largest threat is from the inside and not out.? Employees who have authorized logical and physical access of the systems can due huge damage intentionally or unintentionally.? This means that we need to keep employees happy and well trained to prevent both possibilities.? One might ask why we wouldn? want to use a fully randomized password creator anyway given even the possibility of such threats.? Based on experience, it? not worth trying to have people remember passwords that mean nothing to them.? IT staffs have devoted partial help desks staffs to this procedure and it? frankly not worth the money right now.? Hiring someone reset the passwords on accounts may be simple, but the time is what is not cost effective.? At this point, until passwords are rendered unneeded by whatever method (social or technological), passwords and codes should be a balance between memory and confusion. Guidelines: ??????????? Aim for: -Try making it based on a phrase you?l remember. -Be six (6) or more characters long. -Try to include at least one non-alphanumeric character. Listed in Non-Alphanumerics. -Try use a password that you can type quickly, without having to look at the keyboard. ??????????? Things to refrain from: -Avoid including a proper name or any variation thereof, a full word from a dictionary of any language, a song title, etc. -Avoid relating to personal data in any way, e.g., your name, your street name, current or previous significant other's name, previous or current dogs name, SSN, etc. -Avoid uses any sequences or short repetitive phrases(for example, 'asdfgh', or '8dx8dx). -Avoid using dates only or all numbers. -Avoid replacing letters with similar-looking numbers or characters. For instance, capta1n k1rk mr$p0ck are not secure passwords. Some programs used to crack passwords know this trick and include it in their cracking algorithms. While this may seem safe, it is best to only use numbers where they do not logically fit. -Avoid words or names spelled backwards -Avoid passwords that could be found in any English or foreign language dictionaries, or easily guessed (such as "lombard"). -Avoid containing your user id within a password. -Avoid sharing.? We all do this, so if you do, change the password as soon as possible. Strategies: Mneumonics can be a powerful tool for the creation of strong, yet memorable passwords. Mneumonics is a big word for a fairly simple concept. You chose a password based on a clue you are not likely to forget, such as a phrase from a book or song, but is not directly associated with you(such as a license plate number): -Create an acronym from the letters of the words in a phrase, song lyric, or quotation that is memorable to you. For example, "To be or not to be?" could be: "2BRnot2B?" -Make up an acronym based on a nursery rhyme, a favorite song or movie, or a catchy sentence. For example: "Just Not My Day" could be "~!MyDay" -Interleave two words or a word and a number sequence that is meaningful to you. For example, your favorite fruit and a memorable year.? For Example "kiwi" and "1987" could be "k1i9w8i7" ...or... "ki19wi87" ...or... "ki1987wi"? -Deliberately misspell words. Substitute symbols, numbers, and phonetic replacements throughout.? For example: "Mississippi" could be "Mrs.Ippi" -Make up nonsense words that mean something to you by combining the first syllables of two words. However, avoid using standard abbreviations like "jan, feb, mar, etc." as part of your password.? For Example "Sale at Foleys" could be sal@fol -Don't forget spaces.? (Windows DOES allows this!!! Not all programs & websites do though) Whole real sentences are allowed in some programs if you desired (with some non-alphanumeric hopefully). A note from experience: in changing any password, the first 15-30 times you enter it may be hard to remember.? After that you should develop a muscle memory in timing and strokes so it will be come nearly a question of habit.? All of this is assuming that you use this password everyday.? Passwords used infrequently are better to be done by associate given that you will not be probably not develop such a muscle memory.? So again, memorable but not personal is the best balance in security and memory. What to use (Non-Alphanumerics): { } [ ] , . < > ; : ' " ? / | \ ` ~ ! @ # $ % ^ & * ( ) _ - + = Basics ~???????? about / just !???????? not / don't @???????? at #???????? number / count $???????? money %???????? percent ^???????? Conjunction (and) &???????? and *???????? multiplication / * wildcard _???????? underscore +???????? plus <???????? Less then / Left >???????? More then? / Right <>??????? Excluding this ????????? Question / single character wildcard =???????? equal / for / then / is / (definitive) -???????? minus, [???????? open set ]???????? close set ||??????? or (???????? open parenthesis )???????? close parenthesis /\??????? up / above / north 4???????? for ?????????????????? _ Character \ $???????? s???????? ? \ 8???????? A???????? ?? \ Avoid these by themselves. ][??????? I???????? ?? / Include these with other combinations. |-|?????? H???????? ? /? (Password crackers try replacing characters with these possibilities) 3???????? e???????? _/? Common shortcuts w/??????? with w/o?????? without btw?????? by the way k???????? okay Some Chat Room antics a.k.a. Emoticons? (Great Alphanumerics) :)??????? Happy ^_^?????? Happy ~_^?????? Wink :[ ?????? Bored, sad : | ????? Bored, sad :( ) ???? Loudmouth, talks all the time; or shouting :* ?????? Kiss :-) ????? Classic smiley :-? ????? Licking lips, or tongue in cheek :-O ????? Open-mouthed, surprised :-s ????? What?! :-t ????? Unsmiley :-[ ????? Unsmiling blockhead; also criticism :C ?????? Astonished :~) ????? A cold ; ) ????? Wink (::()::) Band-Aid, meaning comfort ^5 ?????? High five *<:-) ??? Santa Claus +:-) ???? Priest +O:-) ??? The Pope @}-}-- ?? A rose <:-( ???? Dunce #:-o ???? Shocked >:-< ???? Angry >:-< ???? Mad >:-(????? Annoyed >=^ P ??? Yuck O+ ?????? Female O-> ????? Male \_/ ????? Empty glass \~/ ????? Full glass ~~~~8} ?? Snake (_\_)(_|_)(_/_)??? dancing ass off <o> <o>?? staring Some Chat Room abbreviations (recommend to be used in combo with something) afasik as far as I know asap?? as soon as possible atw??? at the weekend awhfy? are we having fun yet? awol?? absent without leave b4???? before bbfn?? bye bye for now bcnu?? be see?n you brb??? be right back btw??? by the way cm???? call me cu???? see you cul8ter?????? see you later dk???? don? know dur? do you remember e2eg?? ear to ear grin eod??? end of discussion F????? Friends? F2F??? Face to Face fya??? for your amusement fyi??? for your information <g>??? grin gr8??? great gsoh?? good sense of humour h2cus? hope to see you soon hak??? hug and kisses ic???? I see idk??? I don? know idts?? I don? think so! iow??? in other words j4f??? just for fun kc???? keep cool khuf?? know how you feel l8r??? later m8???? mate mtfbwu may the force be with you nc???? no comment nwo??? no way out o4u??? only for you O!ic?? Oh, I see! rofl?? rolling on the floor laughing rotflmao????? Rolling on the floor laughing my ass off ruok?? are you okay? sc???? stay cool sol??? sooner or later t+???? think positive t2ul?? talk to you later tafn?? that? all for now tuvm?? thank you very much w4u??? waiting for you! wuwh?? wish you were here X!???? Typical woman! Y!????
Typical man! Some other ideas for deriving a good password from a sentence that means something to you.? Remember memorable is good, personal is bad. HsE<yt? ????? "Has he left yet?" RNYDY$??????? "Rainy day Fund" !ASITS9!????? "!A stitch in time saves nine!" fSa7yA??????? "Four score and seven years ago" 2BRnot2B????? "To Be or Not To Be" ??????????? Examples of good and bad passwords based on hello: hello???????? bad, a dictionary word in multiple languages. h3ll4???????? bad, because the vowels of the dictionary word "hello" have been REPLACED by the digits 3 and 4. he22o???????? bad, because two characters in the dictionary word "hello" have been REPLACED by the digit 2. he3ll9o ????? good, because digits/special characters have been EMBEDDED between the characters of a dictionary word, but have not replaced them. he_ll/o ????? good, because digits/special characters have been EMBEDDED between the characters of a dictionary word, but have not replaced them. 7he3ll9o ???? better, because a leading digit has been added to a good password. 7he_ll/o????? better, because a leading digit has been added to a good password. #yorh3ll0$??? best, because your password has multiple alphanumeric, your is not spelled right, and it's a phrase you can remember (i.e. count your hellos) !<>nh8llo$??? best, because your password has multiple alphanumeric, in isn't complete and anyone is implied, and it's a phrase you can remember (i.e. don't exclude [anyone] in hello) Bad Password followed by Good Password student1 ???? bad, Just a lowercase word with a number; very easy to crack. Stu&1Dnt ???? good, Misspell and split the word; also add some capital letters and punctuation. indy500 ????? bad, Just a lowercase word with a number, plus it's a common phrase. iNDy5Hn't{ ?? good, Change capitalization, remove the double zero, and add a brace. dog3cat ????? bad, Still just words with a number do3gc3at ???? good, The same words and the same number so you can remember it, but chopped up so that it's hard to guess. abc123 ????????????? bad, A standard pattern, easily guessed by the computer's cracking dictionaries. a1bB2$c3 ???? good, Double up the b's, add a capital letter and a dollar sign. ats1029 ????? bad, Initials plus birth date. Easily researched - not too secure. 1a0T2s9 ????? good, One capital letter, plus mixing the numbers and letters. Much, much tougher to crack. Teacher2 ???? bad, An example from a second-grade teacher to be. ItchK-5Grd ?? good, A sentence, "I teach K through 5th grade." 14France ???? bad, The 14 is from Bastille Day, 14 July. VvlaFr14 ???? good, Based on a sentence, "Vive la France," with the same 14. Remembering your passwords: We won't say don't write them down.? We will say don't use a pencil!!! Here are some programs that you can use that will store your passwords.? These are free, and encrypted.? You WILL have to remember a master password.? These programs are local to a single computer, but the files containing your passwords can be backed-up.? (Don't print them out, it's just like using a pencil) Both of these use a blowfish encryption method ??????????? Techie data:????? Block cipher: 64-bit block; Variable key length: 32 bits to 448 bits; Much faster than DES and IDEA; http://www.counterpane.com/blowfish.html *Access Manager Advantage - Simple, idiot proof icons Disadvantage - Database isn't easily maintained (backed-up & switched) Website - http://www.citi-software.co.uk/am/index.htm *Password Safe Advantage - Has an option to backup your database. Disadvantage - Isn't as clean as Access Manager and doesn't contain filtering features for many passwords. Website - http://www.counterpane.com/passsafe.html Password Cracking Test Results Test Setup Server: Compaq P5500 with Two Zeon 400Mhz CPU Crack SW: L0pht Cracker Default Setup: Dictionary/Brute Hybrid Enabled 2 Characters Test Results Matrix
*-The estimated time displayed after 2 characters found Editor: Richard S. Jeong
|