Posted Friday March 20, 2009 at 8:45 pm by Scott DiNitto
One time I made a log in account for someone to use on my system. We'll call her Mary. She needed to login in to my system to do some work, and so I created the user name mary with a temporary password mary123. I asked Mary to change it when she got a moment. That moment never came.
A few weeks later I found a slew of un-accounted network activity my system. My system is directly attached to the internet, firewall fully configured, and this made me very concerned. Digging in to the mystery, I discovered a program running that I had not installed or started. It was a network scanner of some sort, and it was trying to log into a
list of systems referencing another list with thousands and thousands of user name/password combinations.
Someone had broke into my system, installed the scanner, at started to attack other systems! I examined the files of this program and found in the user name/password
list:
mary / mary123
The scanner was designed to break in to other machines and replicate itself, and start all over again. And because I had an easily guessed password assigned to Mary, I was compromised.
The example above demonstrates that even your
simple password could be compromised. Yeah, it seems like a big pain in the butt to use fancy strong passwords, but strong passwords don't have to equate to pain. To help avoid the need to pop a Percoset every time you enter a strong password, I have outlined a method to easily create
one you can remember.
Password Best Practices: How To Pick A Password
If you ask a security professional the best way to form a password, you're
going to get all sorts of different answers. But, there are few standard techniques you can use that I'm sure no expert would disagree with.
To demonstrate this effectively, let's start out by choosing a password. Let's use a typical simple weak password, city. Now, let's review a short list of general guidelines to test the strength of this password:
Phrase The Word
One easy way to both lengthen your password and change it from one found in the dictionary is to phrase it. So, for our password city, we can expand it by adding "at night" to it, cityatnight. This now becomes eleven characters instead of four and is also not found in the dictionary. And, it's easy to remember.
Use l33t speak
Another problem with strengthening our password is how to add those non alphabetic characters and still make it memorable. One way to do this
is to use leet, or l33t speak. That is, to use numbers and other characters that are similar to the regular letters. For example:
crackers. So, for our password cityatnight, we can l33t it by adding some replacement characters, and perhaps a capital in there as well. This produces the following updated password:
(!ty@n!ghT
One time I made a log in account for someone to use on my system. We'll call her Mary. She needed to login in to my system to do some work, and so I created the user name mary with a temporary password mary123. I asked Mary to change it when she got a moment. That moment never came.
A few weeks later I found a slew of un-accounted network activity my system. My system is directly attached to the internet, firewall fully configured, and this made me very concerned. Digging in to the mystery, I discovered a program running that I had not installed or started. It was a network scanner of some sort, and it was trying to log into a
list of systems referencing another list with thousands and thousands of user name/password combinations.
Someone had broke into my system, installed the scanner, at started to attack other systems! I examined the files of this program and found in the user name/password
list:
mary / mary123
The scanner was designed to break in to other machines and replicate itself, and start all over again. And because I had an easily guessed password assigned to Mary, I was compromised.
The example above demonstrates that even your
simple password could be compromised. Yeah, it seems like a big pain in the butt to use fancy strong passwords, but strong passwords don't have to equate to pain. To help avoid the need to pop a Percoset every time you enter a strong password, I have outlined a method to easily create
one you can remember.
Password Best Practices: How To Pick A Password
If you ask a security professional the best way to form a password, you're
going to get all sorts of different answers. But, there are few standard techniques you can use that I'm sure no expert would disagree with.
To demonstrate this effectively, let's start out by choosing a password. Let's use a typical simple weak password, city. Now, let's review a short list of general guidelines to test the strength of this password:
- Make sure your password is at least 6 characters long
- Make sure your password contains at least 2 non-alphabetical characters, such as 0-9, or two non-alphanumeric characters, such as #, % or &
- Make sure your password contains at least one capital letter
- Make sure your password is not a dictionary-based word
- Make sure your password is not your name followed by 123, e.g. mary123
- Don't use your husband's, wife's, or children's names for that matter
Phrase The Word
One easy way to both lengthen your password and change it from one found in the dictionary is to phrase it. So, for our password city, we can expand it by adding "at night" to it, cityatnight. This now becomes eleven characters instead of four and is also not found in the dictionary. And, it's easy to remember.
Use l33t speak
Another problem with strengthening our password is how to add those non alphabetic characters and still make it memorable. One way to do this
is to use leet, or l33t speak. That is, to use numbers and other characters that are similar to the regular letters. For example:
- A becomes @
- C becomes (
- E becomes 3
- S becomes $
- O becomes 0 (zero)
- I or 1 becomes !
- D becomes |)
- And so on...
crackers. So, for our password cityatnight, we can l33t it by adding some replacement characters, and perhaps a capital in there as well. This produces the following updated password:
(!ty@n!ghT
