Guide to Good Passwords

password

Note: All links open in a separate browser window Opens in separate browser

Your password is the key to your computer - this makes it much sought-after as a means of getting into your system.

A poorly chosen password may give a hacker access not only to your computer, but also to the entire network to which your computer is connected.

Treat your password like the key to your home. Would you leave your home or office unlocked in an area of high crime?

Too many passwords are easily guessed, especially if the intruder knows something about their target's background. It's not unusual, for example, for office workers to use the words " password ", " superuser ", " boss " or " admin " to enter their office networks.

Other commonly used passwords are the computer user's first, last or child's name, names of pets, dates of birth, postcodes, names of sports teams or players, words such as " god ", " love ", " lust ", " money ", " private ", " qwerty ", " secret ", " sex ", " snoopy " , & " password " , repeated characters such as " AAAAAA " or " bbbbbb " or number sequences such as " 12345 ", or " 5768 ".

For a list of Common and Bad Passwords to avoid, visit here.

Your computer password is the foundation of your computer security, and it needs to stand up against the tools that hackers have for cracking it. There are 308 million possible letter combinations for a six-letter password using all upper case or all lower case letters. A readily available password cracker can check all of them in only 2 minutes 40 seconds.

Better Passwords

Here are some simple guidelines for choosing better passwords.

  • It should contain at least eight characters – though as a general rule the longer the password, the better. Always check the maximum length allowed by the site in question.
  • It should contain a mix of different types of characters - upper case letters, lower case letters, numbers, and if allowed, special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
  • It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.
  • Always use different passwords for different website's, especially message/bulletin boards as they are frequently hacked and therefore insecure.
  • You should be able to type it quickly, so that someone looking over your shoulder cannot readily see what you have typed.
  • It should be changed at least every 90 days to keep undetected intruders from continuing to use it.

Almost all computer operating system software programs on the market today that store passwords in encrypted format store the last character in the clear. All password-cracking programs know this, so that means one less character for them to crack. This is one of several reasons why numbers and special characters should be toward the middle of your password, not at the beginning or end.

For a guide to manually choosing a better password,  visit here.

Be Aware

Security-aware

The password used for logging on to your office computer should be different from the password you use to log in to a web site on the Internet. The password used to log in to a web site is far more exposed to potential compromise. Any time you log in over an external network, your password is vulnerable to being stolen unless it is encrypted. Using a separate and unique password for your office computer helps protect the security of the office network.

Once you have selected an effective password, protect it. Resist the temptation to write your password down. If you do, keep it with you until you remember it, then shred it, or if you can't remember it, keep it somewhere safe (but away from your PC). NEVER leave a password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on your automated teller machine (ATM) card, would you? You should have different passwords for different accounts, but not so many passwords that you can't remember them. Do not allow anyone to observe your password as you enter it during the logon process.

Do not disclose your password to anyone, not even to your systems administrator or maintenance technician. They have no need to know it. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician you don't know asks you for your password, be suspicious for reasons discussed under "Social Engineering".

Use a password-locked screensaver to make certain no one can perform any activity under your User ID while you are away from your desk. These can be set up so that they activate after the computer has been idle for a while. Strange as it may seem, someone coming around to erase or sabotage your work is not uncommon. Or imagine the trouble you could have if nasty e-mail messages were sent to your boss or anyone else from your computer, or your account were used to transfer illegal pornography.

How Secure is my Password?

The following is the maximum number of possible combinations a computer might have to guess in order to break your password, and how long it would take your computer to check all these possible combinations.

As noted above, a six-letter password using all upper case letters or all lower case letters has 308 million possible letter combinations. This is easily broken within a couple minutes by automated password cracking programs that hackers can download from the Internet.

With some combination of both upper and lower case letters, a six-letter password has 19 billion possible combinations. If you increase the password to eight letters and use both upper and lower case letters, there are 53 trillion possible combinations. Substitute a number for one of the letters, and there are 218 trillion possible combinations.

Substitute one of the special characters for another one of the letters, and you have the recommended type of password -- at least eight characters, including at least one upper case letter, lower case letter, number, and special character or punctuation. This has 6,095 trillion possible combinations -- still theoretically crackable, but requiring a more sophisticated program, a far more powerful computer, and far more time.

Social Engineering

"Social engineering" is hacker-speak for tricking legitimate computer users into providing useful information that helps the hacker gain unauthorised access to their computer system.

The hacker using this method usually poses as a legitimate person in the organisation (maintenance technician, inexperienced computer user, VIP, etc.) and employs a plausible cover story to trick computer users into giving useful information. This is usually done by telephone, but it may also be done by forged e-mail messages or even in-person visits.

Most people have an incorrect impression of computer break-ins. They think they are purely technical, the result of technical flaws in computer systems which the intruders are able to exploit. The truth is, however, that social engineering often plays a big part in helping an attacker slip through security barriers. Lack of security awareness or gullibility of computer users often provides an easy stepping-stone into the protected system if the attacker has no authorised access to the system at all.

Help in Selecting a More Secure Password

DOT-COMmunications recommends this program to help select a suitable password - visit here.

Suggested Options to Tick

  • Include Letters
  • Include Mixed Case
  • Include Numbers
  • No similar characters

Remember

Do not attempt to circumvent or defeat security or auditing systems without prior authorisation from the system administrator, other than as part of an authorised system testing or security research.

  • Never use another individual's user ID, password, or identity.
  • Do not permit any unauthorised individual (including spouse, relative or friend) access to any sensitive computer network.
  • Do not reveal your password to anyone - not even your computer system administrator.
  • Do not respond to any telephone call from anyone whom you do not personally know who asks questions about your computer, how you use your computer, or about your user ID or password.

If you receive any classified material by e-mail or become aware of classified material on an open bulletin board or web site, you should report it to your manager immediately.

security2


Helpful Advice from those Friendly People at DOT-COMmunICaTions