Internet >
Security Issues >
Password Advice
Use of a good password is your first security defence. You should always use
a password on any computer that others can access, so that no one can access
your private information, use your account and impersonate
you on the Internet, delete your files by mistake, etc.
You should change your
password regularly, where regularly is determined by your environment --
perhaps every 60 days in an office environment and every six months on a secure
home
computer. From least to most secure, there are three types of passwords:
- What you have. Examples include keys and pass cards. The risk
is that they can be lost or stolen.
- What you know. Examples include computer account passwords
and building entry passwords, information that passes from your brain through
your hand to the security system. The risks are that they can be copied if
you are observed entering them, and unless they are sufficiently unique they
can sometimes be guessed or cracked.
- What you are. Examples include fingerprints, retina patterns,
and other biometric passwords.
These are much more difficult to copy (so far) and are therefore the most
secure passwords.
The most common type of password on the Internet are passwords you know, mainly
alphanumeric keywords. For a reasonably secure home computer, password selection
might be a less critical issue, but on networks open to the Internet there
are many very real threats to administrator, network, and application
passwords.
Many
ingenious programs have been written to crack passwords at high volume, some
by hackers and some as legitimate security testing tools, and are of course
loose on the Internet. Many of these programs use a variety of dictionary based
attacks
to combine common words and word variations to try thousands of passwords as
fast as the targeted system will permit. Some start by guessing a whole bunch
of common passwords.
Other password cracking techniques include low-tech but surprisingly effective
methods as sending an email supposedly from an authorized administrator
requesting the password, making a telephone contact supposedly from the authorized
company and then requesting the password for authentication, and use of electronic
spy ware to capture the legitimate entry of a password and send it to the eavesdropper.
As always, the human element is more unpredictable than the technical part.
To provide maximum protection, there are four basic rules for password management
security:
- Pronounceable. The best password is at
least eight letters, and pronounceable so that it is memorable. Your password
should not be a recognizable
word, and should include at least one number, to minimize the chances it
can be found by "dictionary" based attacks. There is a simple trick
to making them up instantly -- pretend you are two years old, combine random
syllables into words, then add a number, such as "banilum4", "somi3can",
and "telupson6".
- Non-clichés. Lots of people use their birthday or spouse's
birthday, the name of someone from their family or friends, the name of a
favorite pet, or some other high profile subject for their password. Avoid
all the obvious choices, since professional hackers try these first.
- Unique. Never use the same password for more than one purpose, and
change important passwords regularly without reusing old ones. Use separate
passwords for your computer login, internet account, email account, and other
functions. If you use the same password for more than one purpose, you run
the risk that if someone knows one of your passwords then they can break
into all of your accounts. (This rule may be relaxed for low threat environments
such as a home office).
- Write it down. Unfortunately, the trade-off for using
good password practices is that you might forget them, so you need to record
them somewhere. If you don't do this, it is a statistical certainty that
sooner or later you will find yourself locked out of a computer or application
at a very inopportune time. The trick is finding a secure location for storage
of this sensitive document. If you have a very secure storage location (locked
filing cabinet, encrypted file on your main computer) than you might store
it there, but make sure it is secure; if that security protection is bypassed,
all of your passwords are lost.
First principles are: don't leave it on your desk, store it in your wallet,
or tape it to the bottom of anything. For non-electronic storage, a common
but effective technique is to record your passwords in pencil on a document
that stored with a lot of other documents, or on the margin of a page of
a book on a shelf with a lot of other books. Therefore, even if someone had
the time to search for it, it would be difficult to find, and even if found
it wouldn't be obvious what it was.
Resources. The following sites provides more information
on passwords:
|