Ten Ways to Dodge CyberBullets, Part 4

4. Good password practice

Use different passwords for your computer and online services. Also, it’s good practice to change passwords on a regular basis and avoid simple passwords, especially those that are easily guessed.

It’s debatable whether enforced, frequent changes of hard-to-remember passwords are always constructive (they can force the user to write down passwords, for example, which may well swap one security problem for another).

However, you should certainly be aware that if some miscreant guesses or cracks one of your passwords, using different passwords for other services and for your system passwords drastically limits the damage that he or she can do. If, on the other hand, you use the same password for different accounts, you run the risk that one lucky guess will give the cracker the keys to the kingdom. Indeed, it’s likely that one of the reasons that quite trivial accounts are sometimes phished is that they give a cracker a head start on guessing the password for other, more profitable and more easily plundered accounts.

Password Selection Strategies

It’s good practice to avoid using single, fairly short passwords. Some Trojans use comparatively short, generic lists of commonly used passwords such as “aaaaa,” “password,” “qwertyuiop,” “StarTrek,” “mypassword,” “123456.” If you don’t believe that such stereotypical passwords represent a significant problem, check out “The Top 500 Worst Passwords of All Time” at http://www.whatsmypass.com/?p=415.

At the other extreme, a dictionary attack may use not only common “strings” of characters like these but lists of hundreds of thousands of real words. This may strike you as being a little over the top for capturing your Twitter credentials. However, modern computer systems are fast enough to carry out an automated attack like this far more quickly than you might think.

Here are some approaches best avoided:

  • Any correctly spelled English word, especially one which is likely to be recognized by operating system or application spell-checkers and so on. Using regional spellings, such as those from the UK, is unlikely to offer any extra protection.
  • Any correctly spelled non-English word; exceptions may be a little more acceptable in obscure languages as long as they’re not in languages you’re “known” to speak, but you are still at risk from dictionary attacks that use long, multi-language word lists.
  • Any part of your own name or username, let alone a duplication of your username (this is called a “Joe” account, and it’s one of the first things a password cracker (human or automated) looks for when it comes to trying to guess a password).
  • Any part of the name of a member of your extended family (including pets) or, worse, a colleague, your boss, or, in fact, anyone’s name. Place names are often easily guessed, whether because of an obvious link to you (if you live in Springfield, Springfield is definitely not a good password choice, for instance), or because word lists used in dictionary attacks are likely to contain common place names.
  • The name of the operating system you’re using (or accessing remotely), or the name of the PC you’re using, or the name of the service you’re accessing, or the hostname of a server you’re accessing. Well, you get the idea.
  • Personally significant numbers (phone number, car license number, National Insurance or Social Security Number, someone’s birthdate — save them for picking lottery numbers).
  • Your favorite or most-hated objects, food, movies, TV programs.
  • Easy associations with favorite or most-hated things; for instance, “Swan_Lake” may not be a good password for a ballet fan.
  • Song, book and movie titles, famous people, cartoon characters, etc. Particularly not recommended are ‘CharlieBrown,’ ‘Snoopy,’ ‘Kirk,’ ‘Spock,’ ‘Homer,’ ‘Garfield,’ ‘Dilbert,’ ‘Grissom,’ ‘Oprah’…
  • Anything so unmemorable you have to write it down, unless you take reasonable precautions to protect the paper you write it on.
  • A Post-It on your keyboard or monitor is not a reasonable precaution, unless you work in a room that can’t be accessed by other people. Nor is a piece of paper taped to the CD or USB device it’s intended to give access to. A piece of paper in your wallet or laptop bag is vulnerable to loss or theft. At the very least, take measures to avoid its being easily identified as a password, and don’t make it obvious which system/file/account it refers to. Don’t write down the actual password; use a mnemonic device or some means of disguising it such as scrambling and interleaving letters.
  • Anything with the first or last character uppercase and the rest lowercase, unless it’s a really tricky passphrase. Any example passphrase you’ve come across as in a textbook or a blog.
  • Any short passphrase consisting of a single word (system permitting — some systems actually severely limit the range of characters you can use).
  • Anything consisting entirely of letters of the alphabet.
  • Obvious anagrams of any of the above, especially simple reversals.
  • Obvious variations such as appending or prepending a digit to one of the above or an anagram thereof, or obvious substitutions of digits for letters: “pa55w0rd,” for example.
  • Reusing passwords can be really bad news. You don’t want to use the same password for your computer logon as for your bank. Important information should be protected with unique and strong passwords.

Filling the Cracks

Techniques that may help in slowing down password breaking by guessing or simple dictionary attacks include the following suggestions. The more combinations of techniques you use in a single password, the more effective they’re likely to be. However, sophisticated crack programs will attempt to counter many of these strategies.

  • Embed control characters or non-alphanumeric symbols such as digits, punctuation marks and symbols (where the system allows this).
  • Misspell (but consistently!) “Dis passéfrase 1s kwite gud bot wd b betr wiv sum #s & karakters that r nut alfan00meric.”
  • Unorthodox caPitaliZation Use a personally significant acronym, e.g., ICRMFPW (I Can’t Remember My Friendly Password) Link together two words, possibly with a symbol as a delimiter, e.g., egG^rIbBoN.
  • Replace letters with digits or equivalent characters, and words with abbreviations, e.g., BunZ4T, NeWz@10.
  • Interleave two words, e.g., RmAaInN.
  • Interleave a word with a numeric string, e.g., f9L7a0s8H.
  • Don’t use the same password on several machines. However, sensible variations might be acceptable, subject to the rules mentioned above, e.g., VdOOmAX, UdOOMniX, dOOCPM. Still, this example has the disadvantage that if an attacker gets one of these, he’s well on the way to guessing the rest.
  • Changing your password regularly is important. How frequently you change your password will depend upon how important the information you are protecting is. Generally, once every three months is a really good idea. That way, by the time a computer has cracked a good strong password, you will have already changed it!
  • One of the problems with multiple passwords is remembering them all. Tools like Cygnus Password Corral (http://cygnusproductions.com/freeware/pc.asp), Keepass (http://keepass.info/), and 1Password (http://agilewebsolutions.com/products/1Password) can be really helpful. Just remember that you need to keep your “keysafe” application on a very safe

About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: