Designing strong passwords
Designing strong passwords
ghost | 9712 Reads | Good evening HBH,
TechieJeff here to collaborate proper passwords. Over the span of my days securing systems, I have seen my fair share of dreadful passwords. You may be wondering if your password is lousy at the moment. When I say despicable or inadequate password, I mean a brute force application or dictionary attack could easily crack these passwords. We will start off with the types of attacks against your passwords.
1.) Brute Force – Every single possible combination of characters (aaa,aaA,aAA,AAA,aab…) 2.) Dictionary – Enter passwords from a text file (a dictionary) example: Common_Passwords.txt 3.) Hybrid - A variation of the Dictionary approach, but accounting for common user practices such as alternating character cases, substituting characters (“@“ in place of “A”, etc), using keyboard patterns (“1QAZ”, etc), doubling passwords to make them longer, or adding incremental prefix/suffix numbers to a basic password (“2swordfish” instead of “swordfish, etc) example: M@ry_Brunst3r 4.) Shoulder Hacking - In this attack, quite simply, an attacker will ‘peak’ over your shoulder to watch your password being typed. A simple circumvention of this type of attack would be self-awareness and knowing if someone is behind you.
Now that we have covered the types of attacks, we will discuss circumvention of them as well.
Creating a good password - 101: 1.) Today’s standard is around nine characters long. If someone decided to attack a nine characters’ long password, it would take him or her a decent amount of time, since there is about 1000 million different combination in a nine character long password. So think of it this way; The more characters’, the harder for the attacker.
2.) Including numbers - A simple and easy password, usually does not contain numbers. If you want a hard-to-guess password, include at least four numbers.
3.) No formation of words - Dictionary attacks (as read above) take ‘WORDS’ out of a text file. Therefore if your password is theoretically not a word, it cannot be cracked easily. What I mean by this is, don’t have your password: John9209; have it something more complex and unreadable as: J0HN92ohnine
4.) Combination - A good password will have a mixture of: Numbers, Letters, Caps, Lowercase, and symbols. Example: J3Ff3ry-9209-IlLin0i5 (Jeffery-9209-Illinois)
5.) Make it complicated to crack, but not written down - Contrary to popular belief, many attacks actually include not guessing your password, but actually reading it off the paper you wrote down! So do not write down your passwords, only practice them in your head. If you must write them down, put them on a small piece of paper, in a abstract sock drawer and only keep it for as long as you need it (until you can remember it by heart).
6.) Don’t fall for social engineering - Many attackers, per-say on IM will ask you for example: “What are some good passwords?”, this may seem harmless at hand, but if you fall prey to it, he can then tell what types of passwords you use, to help him configure his brute force.
7.) Repetitiveness killed the cat? - Using the same password for more than one account, is very dangerous. You are practically asking for trouble. We all let down our defense sometimes, so if you do mess up, contain the loss. Say you use the same password for MySpace, as you do your email. Well if the attacker cracks your MySpace password, he can then snoop your email and tamper with information.
8.) The good ’old text file - Saving your password on your desktop is ignorant. You already may have someone trying to attack your password at this moment, and if he can gain access to your system via a vulnerability, then he can simply read your files for sensitive information - And yes, there are intelligent programs that can do this (search for keywords)
Here is a few tips to think about when creating a password: * Don’t use a password that is listed as an example or public. * Don’t use the same password you have been using for years. * Don’t use a password someone else has seen you type. * Don’t use a password that contains personal information (names, birthdays or dates that are easily related to you) * Don’t use words or acronyms that can be found in a dictionary. * Don’t use keyboard patterns (qwerty) or sequential numbers (12345).
So with that, I leave you with a few examples of well-thought out passwords. I do not recommend on using these, I simply want you to understand a good password. [name]+[birth_year]+[current_year]+[initials]+[random_string]+[animal_name] Jeff-9309_BinaryGrady Simple_Man-2009_JJF_9309-Phew! If I can remember them, so can you :)
Please keep checking for new articles of mine. I hope that helps! Happy early Christmas!
Sincerely, Jeff
stealth- 14 years ago
It was decent. Very well presented, however it wasn't that great of content. Things like this should be obvious (but I guess they apparently aren't, if we are making articles like this). I'd rate this good.
Hopefully the next one is just as well presented, but with something more interesting :)
mido 14 years ago
Very nice and approachable article for the very-beginners :). Well written. Waiting for your next contribution ;)
ghost 14 years ago
Okay, Jeff, this is what you need to know. Charsets, right? We've got abc, ABC, abc123, abcABC123 and abcABC123+unusual characters. Now, be sure to include each of those. For example: "dgLE499@#!:".
Also, length. But that's a given. 10+ will do most of the times, 12+ is really good and 16+ is just madness. 24+ if you wanna go tinfoil hat.
ghost 14 years ago
At least it's short. Everyone reads this same thing at some point, It could have been shorter.
ghost 14 years ago
Not a bad (nor a boring) article. Simply for the fact that a lot of people still use passwords that this article otherwise suggests against using. I picked up some useful information, and will probably be making new breeds of passwords from now on.