On Fri, Sep 9, 2011 at 12:32 PM, Shauna Hensala <she...@msn.com> wrote: > I have been asked to speak to an group regarding personal internet security. > This will be a fairly light weight discussion and I have a couple of really > good references regarding choosing secure passwords
The best rules are: * A password should be easy for you to remember, but hard for others to guess. * Don't use the same password on more than one site/system/account/etc. * Don't use password systems, where a new password can be derived from other passwords, by following some recipe or formula or pattern. * Don't use passwords easily connected to you, or your family or friends. ** Avoid names, dates, phone/account/social security/ID numbers. ** Avoid hobbies, sports teams, foods, books, movies, and other personal interests. * Don't use just a single common English word, either verbatim, or slightly transformed. Several random words is okay. (See: http://xkcd.com/936/) * Don't share your passwords with people unless you want to share **everything** the password protects with them, too. * Change passwords occasionally. It doesn't need to be every 90 days like some people want, but if you've been using the same bank password for three years, it's time to change it. > ... and the https://www.grc.com/haystack.htm site for testing. FYI, don't take Steve Gibson's advice on anything security-related without checking it with several other sources first. He doesn't know as much as he thinks he does, and he often gets important details wrong. But even Gibson admits that page is *not* a password strength tester. All it does is compute the keyspace of a password. It ignores human factors entirely. For example, "Passw0rd!" rates very well on that page, but it's a *very* common password. A good password strength checker will incorporate human factors, such as natural-language words, letter and word frequencies, lists of common passwords, and even information about the asset being attacked. > What if you incorporate a symbol not normally found on a keyboard into your > password - such as ¢ which requires the key combo alt/0162? Does this > increase or decrease the hackability of your password - or is it completely > irrelevant? This depends on the nature of the attack, and the details of the system. All in all, it's prolly not worth the cost. There are usually better methods (like using several random words). For example, if you're trying to protect a public interface (like a web site) from a brute-force attack, in theory, an attacker will try common passwords (like "password") first, so by using unusual characters, you might push your password down the list. On the other hand, any good web site will implement counter-measures against a password-guessing attack, so after a few wrong guesses, On the third hand, there's a lot of bad websites out there. Which brings me to another point: A lot of systems will reject characters outside of the usual ASCII printed character set. And not all systems treat non-keyboard characters the same. You might find the password you type on a Windows PC can't be entered on a Macintosh. Another kind of attack is where the attacker has gained access to a hashed password, and is trying to obtain the plaintext password, which they will then try on other sites (because most people use the same password everywhere). In this kind of attack, the attacker can just do an intensive brute-force attack, and funny characters won't help you. (Especially if the attacker can use rainbow tables.) > To a hacker, is the actual password alt0162 or is it ¢? To an attacker, the actual password is irrelevant. They use software to automate the attacks, and to software, all characters are alike. (However, the software may be programmed to take human factors into account, and thus try more common characters first.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin