Did You Ever Seriously Think About Your Password? PDF Print E-mail
Written by Starfox   
Tuesday, 26 February 2008 02:23

I know , I know, in this time and place, passwords are complicated matter because a whole lot of sites ask you to register to gain access to some particular functions and most of the time people tend to choose the easy password that they can remember and to use it on a maximum of the sites they subscribe to.

But passwords are the first security shield when it comes to any account you may possess, be it on the web, or the login to your computer at work. So if you think that your password is good enough, think again. Maybe it is, maybe it is not. Having been in computers for a number of years, I've seen all kind of weird stuff when it comes to people choosing their passwords. So I think that a little article about what is a good password and what is not is in order.

 

The bad passwords

Let's first consider how to create a bad password. It's an easy one actually. You could choose:

  • The first name of your wife/husband/girlfriend/boyfriend/mother/father (or yours)
  • or their last names (or yours)
  • or their birth date (or yours)
  • or their preferred color/restaurant/meal/drink/song/star (or yours)
  • or their place of birth (or yours)
  • or their astrological sign (or yours)
  • or the name of their favorite pet (or yours)
  • or their social security number (or yours)
  • or the number on their license plate (or yours)
  • or choose a random word in a dictionary (that might well be the worst thing to do)
  • or the name of the company you work for
  • or a password with only letters
  • or a password with only figures
  • or a password with less than 10 characters
  • or 123456 which ranks first on the list of the most commonly used password "password" itself being the  fourth believe it or not.
  • ... and the list is endless

 

Some of you might think that choosing such passwords are pretty stupid but you wouldn't believe the number of people who actually go for one of these. Why are all these passwords bad? Because they are either too personal or too obvious. You have to understand how hackers work. The first think they'll try to guess your password, because it's the quickest, is what is called "dictionary attack". They just try the most used words of a standard dictionary (it doesn't take long because they have ways to automate the process) and doing so their chance of succeeding is pretty good if you went for choosing a random word in a dictionary.

You must also always consider (in general it's not the case, especially on the web but that helps to be a little paranoid) that a hacker might know everything about you, your tastes, your girlfriend or your husband... and so on. That's the second quickest way for a hacker to solve the problem when the user just chose a password related to them or their relatives.

"But if passwords with only figures and less than 10 characters are dumb, how comes that they are deemed safe for the PIN number of my credit card or my cell phone?" you could ask. Because the problem is not the same. If you enter 3 times the wrong PIN number, your card, or the card of your cell phone is locked preventing further attempts and you must go through a painful process to either unlock the cell phone card or get a new credit one. Most of the time there is no such limitation on the web and most web sites -- except the most sensible ones -- won't lock your account just because you enter the wrong password 3 times in a row. That gives a lot of room to hackers to try a lot of things.

If you fouled them with a password that doesn't obviously corresponds to you, that is not issued from a dictionary then hackers have to fall back to the most painful method for them known as "brute force". This method is always -- and I stress always -- successful because it consists to try every combinations of letters and figures (and symbols that may be allowed in passwords with some systems) one after the other. Problem for them: this method even when automated may take an awful lot of time and your task there is to make sure that it would take them so much time getting your password that they won't even want to bother with it. It's kind of the equivalent of your car alarm. The goal is not to prevent thieves from stealing it but to give them so much work to do it that most of them will throw the towel. And to give a hard time to hackers you can do several things so let's get to that.

 

What is a good password?

First a reasonably good password is one that doesn't correspond to any of the criteria of a bad password. Ideally it must:

  • be long enough: some systems limit the length of the password but anything above ten characters is reasonably good. The more the better. Any character added is an added thorn in the side of the hacker.
  • have absolutely no meaning for you nor any of your relatives let alone for everyone else
  • be a mix of letters (both upper and lowercase) and figures in no sequential order. If the system you put the password in allows the use of special characters, go for them too.


An example of a good password would be: mX6*28Kh+4g9z\yO

It's not pretty, I won't pretend it's easy to remember but that is the kind of nightmare hackers hate. It is so random that only a brute force attack can crack this baby and considering it's length it's not worth the time they'll spend on it if it's just to get access to your forum account. In fact when you're confronted to a low security threat -- access to one of your accounts which contains no personal data for example and no mean to access critical features of the system -- you could consider to go for less complicated. However, if you deal with an account with pretty sensitive data or functions (like an administration account for example) you might even consider to add some more characters.

Three final advices: first, don't copy the password above to make it yours (because hey, since it's written on the page you could always check if you forget it), that's the first thing a hacker would try on this site. Second, it's a good idea to change your password, once in a while. And third but not the least, check your computer for badware once in a while. it won't matter how good your password is if someone place on your computer a malicious piece of software to intercept everything you type (keylogger).

 

Ultimately, the choice is yours...

Safe browsing Cool

 

[ The Foxhole Terms Of Use ]|[ Our Privacy Policy ]
Copyright © 2006-2011 The Foxhole and contributors. All rights reserved. Products logos and trademarks are the properties of their respective owners.
This site is compatible with Internet Explorer 7+, Firefox 2+, Opera 9+, Safari 3+. Previous versions of these browsers are not officially supported.
Web hosting services by SiteGround
squat-bears

Joomla Templates by Joomlashack