Passwords are a common form of authentication and are often the only barrier
between a user and your personal information. There are several programs
attackers can use to help guess or "crack" passwords, but by choosing good
passwords and keeping them confidential, you can make it more difficult for an
unauthorized person to access your information.
Why do
you need a password?
Think about the number of personal identification numbers (PINs), passwords,
or passphrases you use every day: getting money from the ATM or using your debit
card in a store, logging on to your computer or email, signing in to an online
bank account or shopping cart...the list seems to just keep getting longer.
Keeping track of all of the number, letter, and word combinations may be
frustrating at times, and maybe you've wondered if all of the fuss is worth it.
After all, what attacker cares about your personal email account, right? Or why
would someone bother with your practically empty bank account when there are
others with much more money? Often, an attack is not specifically about your
account but about using the access to your information to launch a larger
attack.
One of the best ways to protect information or physical property is to ensure
that only authorized people have access to it. Verifying that someone is the
person they claim to be is the next step, and this authentication process is
even more important, and more difficult, in the cyber world.
Passwords are the most common means of authentication, but if you don't
choose good passwords or keep them confidential, they're almost as ineffective
as not having any password at all. Many systems and services have been
successfully broken into due to the use of insecure and inadequate
passwords,
and some viruses and worms have exploited systems by guessing weak
passwords.
How do
you choose a good password?
Most people use passwords that are based on personal information and are easy
to remember. However, that also makes it easier for an attacker to guess or
"crack" them. Consider a four-digit PIN number. Is yours a combination of the
month, day, or year of your birthday? Or your address or phone number? Think
about how easily it is to find this information out about somebody. What about
your email password—is it a word that can be found in the dictionary? If so, it
may be susceptible to "dictionary" attacks, which attempt to guess passwords
based on words in the dictionary.
Although intentionally misspelling a word ("daytt" instead of "date") may
offer some protection against dictionary attacks, an even better method is to
rely on a series of words and use memory techniques, or mnemonics, to help you
remember how to decode it. For example, instead of the password "hoops," use
"IlTpbb" for "I like To play basketball." Using both lowercase and capital
letters adds another layer of obscurity. Your best defense, though, is to use a
combination of numbers, special characters, and both lowercase and capital
letters. Change the same example we used above to "Il!2pBb." and see how much
more complicated it has become just by adding numbers and special
characters.
Longer passwords are more secure than shorter ones because there are more
characters to guess, so consider using passphrases when you can. For example,
"This passwd is 4 my email!" would be a strong password because it has many
characters and includes lowercase and capital letters, numbers, and special
characters. You may need to try different variations of a passphrase—many
applications limit the length of passwords, and some do not accept spaces. Avoid
common phrases, famous quotations, and song lyrics.
Don't assume that now that you've developed a strong password you should use
it for every system or program you log into. If an attacker does guess it, he
would have access to all of your accounts. You should use these techniques to
develop unique passwords for each of your accounts.
Here is a review of tactics to use when choosing a password:
- Don't use passwords that are based on personal information that can be
easily accessed or guessed.
- Don't use words that can be found in any dictionary of any language.
- Develop a mnemonic for remembering complex passwords.
- Use both lowercase and capital letters.
- Use a combination of letters, numbers, and special characters.
- Use passphrases when you can.
- Use different passwords on different systems.
How can
you protect your password?
Now that you've chosen a password that's difficult to guess, you have to make
sure not to leave it someplace for people to find. Writing it down and leaving
it in your desk, next to your computer, or, worse, taped to your computer, is
just making it easy for someone who has physical access to your office. Don't
tell anyone your passwords, and watch for attackers trying to trick you through
phone calls or email messages requesting that you reveal your passwords.
Many programs offer the option of "remembering" your password, but these
programs have varying degrees of security protecting that information. Some
programs, such as email clients, store the information in clear text in a file
on your computer. This means that anyone with access to your computer can
discover all of your passwords and can gain access to your information. For this
reason, always remember to log out when you are using a public computer (at the
library, an internet cafe, or even a shared computer at your office). Other
programs, such as Apple's Keychain and Palm's Secure Desktop, use strong
encryption to protect the information. These types of programs may be viable
options for managing your passwords if you find you have too many to
remember.
There's no guarantee that these techniques will prevent an attacker from
learning your password, but they will make it more difficult.
Provided by: US-CERT http://www.us-cert.gov/
Authors: Mindi McDowell, Jason Rafail, Shawn
Hernan
