Wolfram My Writing How To Pick a Safe Password | | Search |
The importance of picking a good, secure password can't be emphasized enough. Your password is the way the computer verifies that someone logging in is really you, so pick something that cannot be guessed by others. The top reasons people gain unauthorized acesses to a password protected system is: They guessed someone's password. (often because they found it on a piece of paper next to the victim's computer or because they saw the person type the password in, but also because they use software programs that are VERY good at guessing common passwords.)
What Happens To People Who Choose Weak Passwords
The Basics
Try This If You're Having Difficulty Selecting a Good Password If you are having difficulty picking a good password, one good method is to use the first letter of each word in a phrase you can easily remember. For example, "Alta is my kind of place" would be Aimkop. Another method is to intentionally use misspelled words, or words with a number or punctuation mark suffixed. Examples include: braekfast, kite276, and weather. (the period at the end is part of the password). Also, many hackers use numbers or punctuation instead of letters to do a basic encrypt of text, as in: h3llo is hello or he!!o is also hello. Don't copy any of these examples, but y0u g3t the d4ift! The more creative you are the better. Here are some guidelines about what secure passwords should not include1:
Advanced Password Strategies This guy has the most excellent password selection strategy that I have seen. About This Page [1] Simson Garfinkel and Gene Spafford, Practical UNIX Security (Sebastopol, CA: O'Reilly & Associates, Inc., 1991), pp. 33-34. [2] Ibid., p. 35. [3] Tim McNerney sent me the following about changing passwords: Ran across your page http://wolfram.org/writing/howto/password.html and have some disagreements with some of your recommendations. Well, really just one. That one is changing your password frequently. It is my belief that this leads to less, not more secure systems. Here's why. Choosing a good password is difficult. You need it to be easy for a user to remember, but hard for anyone else to guess. If it is difficult for the user to remember, it will end up on a PostIt on his monitor. If it is easy to guess, then many methods will work to compromise the account. Requiring a user to change his password on a regular basis means that the user must come up with more passwords. The average quality of that password will almost always be less than that of a single good password. They are less likely to even try and come up with a good password if they have to change it frequently. So the quality will almost always be less. The amount of time to crack a password using straight brute force methods is almost always much greater than the expiration period. So attempts to foil such an attempt with password expiration. There are some cases where you need the information secured for a very long period of time, but more often than not, this is not the case. In this case changing your password once every ten years for a password space that would take 100 years to brute force would be more than sufficient. And the spaces we are talking about are much greater than that. If a user's password is going to be broken, it will almost always happen through means other than brute force. Either through the PostIt method, social engineering, dictionary attacks, using personal information. These attacks take much less time than you could reasonable expire a password. Let's say you require changes every month. The above attacks would take anywhere from a couple minutes to a few hours. The compromise would happen on average with 15 days left before the password would expire. Once compromised, there is little (but not no) value in closing the barn door. Detecting and rectifying these situations are better handled through other means, especially since changing the password never let's anyone know that a compromise ever occured, even though it stops it (though most likely, the person will still have access through other means once they got in). So basically, changing your password frequently doesn't prevent brute force attacks in the general case, decreases the quality of passwords used/increases the likelihood that they will get written down and while mildly beneficial in that you cut off access to compromised systems, does not help in detecting this nor do I believe the increased chance of such an occurrence due to the previously mentioned problems is worth the tradeoff. I haven't really seen this theory mentioned anywhere else, so there may be some obvious flaws I'm missing. And there are obviously certain cases where it doesn't apply, but I think it is a good rule of thumb for most people when choosing passwords. I'd appreciate any comments or criticisms of my thoughts. Also, I'd add a corollary to the last item in Good Passwords, which is that a password should contain characters which alternate when typed between the left and right hand. These tend to be quicker and easier to type. |