The "No Network is 100% Secure" series
- Passwords -
A White Paper

All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us

What is a password?: A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource such as logging on to a computer. Your password is the key you use to access personal information that you've stored on your computer and in your online accounts.

Why are strong passwords important?: If criminals or other malicious users steal your personal information, they can use your name to open new credit card accounts, apply for a mortgage, or pose as you in online transactions. In many cases you would not notice these attacks until it was too late. In the case of your company username and password, if hackers are able to break into your account, they can use your employee access to attempt additional break-ins to your corporate network.

Fortunately, it is not difficult to create strong passwords that you can actually remember and keep them well protected.

What makes a strong password: The best passwords are those that are difficult to guess but easy to remember.

Lengthy passwords: Each character that's added to a password increases the protection by orders of magnitude. Passwords should be at least 8 characters in length. Many systems also support use of the space bar in passwords, so you can create a phrase made of many words which is known as a "pass phrase". A pass phrase is often easier to remember than a simple password, as well as being longer and thus harder to guess.

Character variety: The greater the variety of characters in your password, the harder it is to guess. Use numbers, punctuation and uppercase numerals to add variety in your passwords. But it's very important to create passwords that you can remember. A strong password that you can't remember is fairly useless and your IT guys will quickly tire of resetting your password for you. An example of a good password would be something like: 0-Happy:)Face-0 ... fairly easy to remember, rather difficult to guess.

Remembering your password: Contrary to popular opinion, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective. Taping your password to the bottom of your keyboard or putting it on a piece of paper that's in your top middle desk drawer does not satisfy that requirement! However, in general, passwords written on a piece of paper are obviously more difficult to compromise from the Internet than a password manager, Web site, or other software-based storage tool, such as password managers.

I use a private key/public key system to manage my passwords. The public key would look something like:

Hotmail - 1
Yahoo - 2
Voicemail - 3
ATM - 4

My public key would be in my wallet, briefcase or the notebook I carry around.
The private key would be my actual passwords and would obviously be stored securely and not anywhere near my public key. The private key would look like:

1 - 2009Foobar$$$
2 - DallasC0wb0yz
3 - Un1cycles4fun
4 - 04July1776!**

I keep each password on a separate card that is well hidden but easy recover if needed. If you are particularly clever, you can also implement some sort of version control into this scheme as well. Someone finding just one key would not really be able to do much with it. And to be honest, I am less worried about someone finding my private key and figuring out what it means than I am about an Internet hacker cracking a weak password.

Testing your password: There are tools and web sites that will test your password for strength. But only do this on a trusted web site! If you're really paranoid, you can cloak your IP address by visiting the site through a proxy server. And of course any legit site is not going to ask for any personal information.

Really bad passwords: There are common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:

Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not make for very secure passwords.

Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know how to crack passwords will not be fooled by common look-alike replacements, such as replacing an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.

Avoid your login name. Or any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.

Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.

Use more than one password. If any one of the computers or online systems using a particular password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.

Avoid using online storage. If malicious users find these passwords stored online or on a networked computer, they have access to all your information.

Also, read our white paper on "Phishing" for more information about protecting your personal information.

Protecting your passwords: Obviously, do not share your password with anyone. Anyone!

Protect recorded passwords as discussed earlier.

Never provide your password over e-mail or based on an e-mail request. Not even if the request comes from God himself. Ever!

Do not type passwords on computers that you do not control. Computers such as those in Internet cafes, computer labs, shared systems, kiosk systems, airport lounges and so on should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, bank balances, business mail, or any other account that requires a user name and password. Criminals can and do have keystroke logging trojans infecting many of these computers. Trojans permit malicious users to harvest all the information typed on a computer from across the Internet. Remember that your passwords and pass phrases are worth as much as the information that they protect.

Changing your passwords frequently: I am not a fan of forcing users to change their passwords every few weeks, especially on systems that force users to create passwords that are impossible to remember. In my view, if a user has chosen hardened passwords and is diligent about protecting those passwords, there's no reason to change them. The fact is, if a hacker is able to crack your password, the damage will be over and done with long before the system-mandated password change edict comes along. However, that said, it's a good idea to change or at least modify your passwords periodically.

Cracked passwords: Be sure to monitor all the information you protect with your passwords, such as your monthly financial statements, credit reports, online shopping accounts, and so on. Strong passwords can help protect you but there are no guarantees. If you enter your password on a computer that's been infected with a trojan, consider it compromised. And no matter how strong your password is, if someone breaks into the system that stores it, they will have your password. If you're connected to the Internet via WiFi, there's always the risk that your data can be intercepted especially if a weak encryption method is being used.

If you notice any suspicious activity that could indicate that someone has accessed your information, notify authorities as quickly as you can. And obviously, changing passwords is imperative.

Web mail password resetting vulnerability: The Sarah Palin hacker managed to reset her password by Googling for the answer to her "secret question", followed by two similar password resetting attacks aimed at Twitter employees. This method of account hacking is amazingly easy to do. And since most people use the same password for multiple accounts (if not all of their accounts) once you have someone's Yahoo password, you can do some real damage.

So just how secret are the "secret questions" used for resetting forgotten passwords? Not so secret after all, as it turns out. In a recent study, participants were able to guess the answers to "secret questions" challenges for people they didn't even know 17% of the time. The study also confirmed that the most popular questions were in fact the easiest ones to answer. How difficult do you think it would be to find out what someone's Mother's maiden name was once you knew their name? And that doesn't even mention the ease of breaking an 8-character "secret question" answer using a brute force attack!

Brute forcing attempts against the security questions is certainly a feasible attack tactic. But these days, malicious attacks tend to be much more sophisticated and pragmatic than that. This is especially true in a Web 2.0 world where the majority of potential victims have already unconsciously/consciously published the answers to their security questions somewhere on the Web.

Security questions are not really a viable, secure form of authentication. If you use one of the many free web mail services out there, it is advisable to use a one-off, hardened password that is exclusive to that one account. Perhaps 25December0000 (Christ's birthday). Easy to remember but difficult to crack. And when creating your "secret question" challenge responses, be a little crafty. Don't enter your Mother's maiden name when asked. Use your Mother-in-law's maiden name, your Sister's married name or something like that. It's OK to lie! Still not totally secure but if you are going to have your password cracked, at least make them work for it. If you choose your password well, you'll never need to reset it anyway. Remember that you not only don't want to provide a weak password. You also don't want to provide weak "secret question" responses!

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro