Benchmarks Online

Skip Navigation Links


Page One

Campus Computing News

Free Virus Protection Software

What's up with computer-based training at UNT?

Helpdesk Access Changes

Good Passwording

EDUCAUSE Southwest Regional Conference

Today's Cartoon

RSS Matters

The Network Connection

Link of the Month

WWW@UNT.EDU

Short Courses

IRC News

Staff Activities

Subscribe to Benchmarks Online
    

Good Passwording

By Howard Draper, Information Security Intern

How important are good passwords? More important than most people think. Passwords are the simplest (and should be the first) security measure addressed by all computer users. So why should we care how good or bad our passwords are? We should care because it takes a community-wide effort to really make it safer for everyone. Very often, an intruder can crack a password for one machine and from there, jump to others and attempt to do more damage or mask the trail of intrusion. 

Password security is very often overlooked as a major vulnerability, which is tragic, considering how much money is spent on hardware and software security measures, despite the relative ease and thriftiness of educating users to analyze and enhance their personal password security. 

Total system security is only as good as the weakest link. 

A strong password could take years to crack, while a weak one could be figured out within minutes. Any password could eventually be cracked by brute force (trying every character combination possible). If creating an eight-character password based on the available 62 uppercase/lowercase letters and numbers, there are 218,340,105,584,896 possibilities. This could take a very very long time to crack, most likely hundreds of years if several thousand passwords were tried per second. However, if that password is based on a dictionary word (in any language), a relative's name, a pet's name, a combination of two actual words, or a word plus a number, it may be possible to crack the password in a matter of seconds.  Some basic guidelines for password creation are:

  • Make passwords as long as possible (never shorter than 6 characters). 
  • Include mixed-case letters, if possible. 
  • Include digits and punctuation marks, if possible. 
  • Do not base them on any personal information (SSN, phone number, DOB, etc).
  • Do not base them on any dictionary word, in any language (including names, places, and slang)

What are some examples of good and bad passwords?

doggy38 – bad, dictionary word

hello – bad, dictionary word

schwäche – bad, dictionary word, even though it's not English

senha9943 – bad, dictionary word, even though it's not English and has some numbers added

h3114 – bad, still a dictionary word, digit substitution is a very common practice and password crackers will take it into account.

9he6ll5o - decent, because digits have been added into the word, but it's still a password based on a dictionary word. 

Y'g2hYla – very good, difficult to guess, no noticeable algorithm used, has upper and lowercase letters, contains a digit, contains punctuation, and is at least 8 characters long. 

Password Q&A

  • How did I come up with the last one, and more importantly, how can I remember it without writing it down? 

In this instance, I used a phrase I could remember, the Beatles song "You've got to hide your love away". I used the first character of each word, an apostrophe from the first word, capitalization of the first word, substitution of '2' for the word 'to', and capitalization of the second 'Y'. In many cases, you can use letters from a catch phrase that you remember, or lyrics, or poetry, or a saying, especially if they're not referred to as an acronym.  If changing your password often, try adding a digit or letter which you can change every month and remember easily, like going up one digit, down one letter, skip one, etc. 

  • How often should you change your password?

As often as possible, preferably every 30-90 days, but it’s really up to your System Administrators to specify. 

  • Should you use different passwords for different systems?

Yes.  If you only have one password, you are making all your systems vulnerable in the event that your one password is cracked.  They may not have to be completely different, so it’s up to you how much each password may vary.  Of course, the more variance, the more security.  You could arrange passwords in a hierarchy of sorts, making sure the most crucial systems have drastically different passwords. 

  • Should you tell anyone your password under any circumstances?

No.  Even a System Administrator should never ask for your password, so don’t tell anyone else, and also don’t write it down anywhere (even if it’s in your wallet). 

Can you take the password challenge?

If you are up to the challenge of creating a strong password, you can test its strength using this online password meter:

 http://www.securitystats.com/tools/password.php 

The meter is not as strong as I would like, since it doesn’t check for digit substitution, and it only checks the English dictionary, but it’s still a fair indicator of general password strength. 

More Information on Passwords

For an excellent CNET article explaining the dangers of weak passwords, browse to: http://news.com.com/2009-1001-916719.html

Remember

A password is like underwear—keep it hidden.

A password is like underwear—change it often.

A password is like underwear—don’t share it with friends.

 

UNT CITC Information Security
http://www.unt.edu/security/