Have you ever thought about how hard is it to choose a good password or how important it is? Most people believe that choosing a good password is easy. After all, how is somebody going to guess my wife’s maiden name?

In reality, people usually choose poor passwords. In 2004 [Klein 2004], an attempt to crack a large password database revealed over three hundred passwords in the first fifteen minutes! One fifth of all passwords were obtained in the first week and approximately one quarter was cracked by the end of the search. More than half of the cracked passwords were six characters or less and some accounts didn’t even have a password.
An intruder only needs one password!

Choosing a good password is a tradeoff between something that is difficult to guess versus something that is easy to remember. While @G7x.m^l is probably a good password, nobody will remember it and it is certain to appear as a sticky note attached to a terminal. Conversely, your first name is very easy to remember, but it is also trivial to guess.

Some simple rules of thumb

Some simple guidelines that will help you choose better passwords are:

 

• A password should be a minimum of eight characters long.
• Try to include some form of punctuation or digit.
• Use mixed case passwords if possible.
• Choose a phrase or a combination of words that make the password easier to remember.
• Do not use a word that can be found in any dictionary (including foreign language dictionaries).
• Do not use a keyboard pattern such as qwertyui or oeuidhtn (look at a Dvorak keyboard).
• Do not repeat any character more than once in a row like zzzzzzzz.
• Do not use all punctuation, all digit or all alphabetic.
• Do not use things that can be easily determined such as:
  • Phone numbers
  • Car registration
  • Friends’ or relatives’ names
  • Your name or employment details
  • Any Date
• Never use your account name as its password.
• Use different passwords for each account.
• Change the password regularly and do not reuse passwords.
• Do not append or prepend a digit or punctuation mark to a word.
• Do not reverse words.

• Do not replace letters with similar looking numbers. For instance, all of the letters i should not be blindly replaced replaced by the digit 1.

Cracking passwords

The principle behind password cracking is quite simple: take a large word list, encrypt each word and check if the encrypted string matches the user’s password. Word lists that are used frequently include English and other language dictionaries, common names, pet names, television and movie characters, character patterns on keyboards (for example, qwerty) and jargon or slang terms.

To allow for the case that the user has not chosen a word in your word list, an intruder can and usually will apply a large number of simple rules to each word in the word list and check if any of these encrypt to the user’s passwords. Typical rules include appending and prepending digits and other punctuation characters to words, reversing words, capitalising words, converting words to all upper or all lower case, substituting letters or digits for other letters and naturally many combinations of these. Since computers are fast, applying these rules and encrypting the resulting guess doesn’t take much time and a lot of guesses can be made in a very short time.

In addition, a CD based database is supposed to have been produced that contains every word in a large dictionary plus many rule based permutations of these words encrypted in every possible manner. This reduces password cracking to a simple (and fast) database lookup.

Examples of how to construct good passwords

So now that typical bad passwords have been discussed, how is a good password constructed? Try combining two or more words together or taking the first (or second or last) letter of each word in an easily remembered phrase. Then mangle the result by adding capitals, digits and punctuation characters. As an extra measure, control characters can also be introduced.
Some examples of using multiple words with punctuation

Here is a pair of good examples of using multiple words:

•    gOt%L0st! – got lost!
•    heLP4me$ – help for me (money)

And here is a bad one:
•    T0gether – to get her

Some examples of using a phrase

Here are three good examples of using phrases:
•    rsKf0myH – Raindrops keep falling on my head.
•    wru2rxy? – Who are you to ask why?
•    bWiIso3! – Beware the ides of March!

And here is a bad one:
•    Aaaaaaaa – Always assert an ambiguous axiom and argue aggressively.

Hope you have foundd it somehow useful!
So take care when you select passwords next time!

Article Source: http://www.articlesbase.com/security-articles/an-intruder-only-needs-one-password-689092.html

About the Author: When Jennet isn’t writing, she’s playing video games and participating in environmental NGO activities. She is crazy about new technologies and soccer!

This entry was posted on Wednesday, July 21st, 2010 at 12:51 pm and is filed under Tips and Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.