Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work data relatively secure. Weak passwords are often worse than not having a password as it gives someone a false sense of security.
How long should your passwords be? The length depends on the value of the data being protected, how often the passwords must be changed, and the security of the authentication system. Passwords should be a minimum of eight to 10 characters to even begin to be considered non-trivial. A password of 15 characters or longer is considered secure for most general-purpose business applications. i.e. a pass phrase Good example: callingGodisafreecall Tip 1: Use a Pass Phrase
Tip 2: Disable LM Hashes Disable the storage of weak cached LM password hashes in Windows, they are simple to break Disable LM password hashes by using Group Policy, Local Security Policy or a Registry edit. In the former two, navigate to Computer –Configuration | Windows Settings | Security Settings | Local Policies | Security Options and enable Network Security: Do not store LAN Manager hash value on next password change.
Tip 3: True Password Complexity Complexity makes passwords harder to guess and crack. Complexity normally means inserting one or more non- alphabetic characters into the password or pass phrase – Higher complexity involves requiring one or more non-alphabetic and non-numeric symbols (e.g. !@#$%&, and so on). Password cracking tools know most people make the first letter uppercase. They know that typically numbers at the end and be either 1 of 2. The common special symbols, are substitutions @ for a, $ for s and so on. True password complexity, do something unexpected –Example: p7asswOrK is more complex than Password2
Tip 4: How Long? 15 Or More! Crackers say how easy it is to break dictionary-based passwords. When sent the password hashes for browngrassbrowngrass or hash-thispassword-word to crack, and they never seem to break them The secret: If you password is long enough, it doesnt need to be complex. Going 15 characters or longer defeats most common password crackers
Tip 5: Password Diversity Many people use the same password to protect their online gaming or other fun site information that they use at work Most people have dozens of logons across a multitude of Web sites around the Internet Often their logon name to each Web site that is their e- mail address When one password is compromised then often many others are also known Most passwords can be discovered after watching someone logon 7 times
Tip 6: Rooting Around On work systems: Avoid using the same passwords on different systems. To make it simpler pick a common root password and make slight changes to it on the various systems Example: email, billing and accounting systems greenemail32 greenebill21 greenaccount01
Tip 7: Storing Passwords-Hint Good passwords are a balance between complexity and your ability to remember Make a hint file on your cell –Example, the passwords listed in the previous tip might become gemail32, gebill21_32 and gaccount01_32 –Switch things up a bit, for instance using GEmail34 to indicate that the password includes capitalized letters and a different ending for that system (i.e. GreanEmail34). Notice Green is misspelled that is a good way to defeat dictionary attacks Never write down your password.
Tip 8 : Dos and Don'ts Use a pass phrase like ; callingGodis1freecall Dont use passwords with all CAPS Do not start with Capitol letters or end with a number most cracking software know to how to crack that in seconds Dont make it so hard you must right it down DO NOT write it down on a stick note and put it on the monitor in a drawer or under the keyboard Do not use family or pet names or your favorite team unless you put it in a phrase
Tip 9: Understand Wireless When on wireless your username is often broadcast in clear text even on a SSL site Several SSL sites also send passwords in clear text then your connection is encrypted after that but your user name and password are sent in clear text People can discover your user name and password without being on your wireless Public wireless access will often have someone running sniffing software on a regular basis
Tip 10: Social Engineering Never give out a password to anyone, even your IT staff. –They should have the ability to reset your passwords –Do not give out your naming scheme or the IT Staffer maybe able to guess your password for your bank account or other accounts –Use separate naming schemes for work and personal accounts Never use Personal Identifiable Information (PII) in your passwords –Birth date –SSN –Mothers maiden name Never respond to emails requesting you to verify your (PII) or requesting you to logon to website.
Bad Passwords These kind of passwords can be cracked in under three minutes: A name associated with you or your organization (SDA) A date associated with you or your organization(1844 or 1888) A dictionary word (unless it is a pass-phrase) Adding a number or a capital adds no more than a few minutes to the time it takes to crack short passwords