Password security, don’t take it 4Gr@nted : Texxors.com

Password security, don’t take it 4Gr@nted

June 11, 2007 Posted by Jeff in : Tips , trackback, Email this post

Passwords are the first line of defense in keeping the unwanted out of your computer, your bank account, and any other personal or business stuff. Yet we tend to take them for granted and even view them as a nuisance.

Lately, we hear that identity theft is growing exponentially as more and more people buy computers and hop on the internet, but we put off setting up a password cycling plan or even changing our old password we’ve used since the 20th century, until tomorrow. And you know how that goes. And yes, there are ways to secure a system without using passwords - I do it for one of my customers using electronic certificates which are unique to each workstation - but that can become a support nightmare. For the average person, it’s best (and easiest) just to pick a few secure passwords that you can use and cycle through as necessary.

Let’s start out with some basics. Passwords like “password” or “abc” or “123″ are just plain dumb. This is pretty strong evidence that you either have no business owning a PC, or just don’t give a second thought to your security. It’s also pretty strong evidence that you have a virus, that your computer’s front door is standing wide open with a big flashing “Come on in!” sign for the rest for the internet, and that some unscrupulous identity thief is currently vacationing in the Virgin Islands on your bill.

Don’t use plain old names or silly cliches for passwords. Things like “phillies” or “letmein” or “opensesame” will surely be cracked in seconds using a dictionary attack. If you have to use something silly, at least use a random mix of upper and lower case letters. This might add a few extra seconds onto the cracking of your password, but for pity sake, don’t use 123456 or something predictable like that.

Try to use a mixture of letters, numbers, upper and lower case letters, and some non-alphanumeric characters like (! @ # $ %). Typically the characters that appear above your number keys can be used without a problem. Also, the password should be 8 characters or more.

The hard part with this method is that these password can be hard to remember.

Another method, which I find easy, is to think of a sentence, and pick the first letter from each word, like this: “I Like To Eat Bacon And Eggs For Breakfast.” The password would be iLtebaefB. Or even better, mix it up a little: !L2eb&efB.

When I was an I.T. Manager at a law office, I had a program that I ran on the server which worked on cracking passwords, kept a log of which ones were cracked, and how long it took. Many were cracked in fractions of a second. Most were cracked in a couple minutes, and a select few cracked in a couple hours, while a slim 5% of users’ passwords were uncrackable. I published the list of names and crack times (minus the actual passwords) in a company-wide email. Everyone had fun razzing each other, but in the end, it accomplished tighter password security.

If you have doubts about your sacred favorite passwords, yu can try them out on Microsoft’s Password Checking Tool (it’s free) at http://www.microsoft.com/athome/security/privacy/password_checker.mspx

Have fun. And remember, when you sit at the computer, don’t put your brain into neutral.

Jeff Gross