Good Password: Common Practices
Results 1 to 8 of 8

Thread: Good Password: Common Practices

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    339

    Lightbulb Good Password: A Practical Guide to Make One

    hi all. thanks to those who have appreciated my previous tut. i did spend some
    time to make it understandable in one pass* and quote any links i refer.
    that's probably something you won't find at plain google.

    *) usually a compiler read (and process) a source program in multiple passes
    before eventually produce the actual binary. a typical compilation consists of
    at least two passes, scanning (grouping series of characters into tokens) and
    parsing (grouping series of tokens into program structures).


    background: in this tut, we'll talk about how to make a good password. yeah,
    actually i was gonna start a poll on what kind of words that people tend to
    choose for their password. but as ao newbie, i guess i could be suspected for
    trying to crack some system... ;-) here, again, i try to avoid to talk about
    technical issues. just let me focus on people: how people choose their
    passwords, and more important, how they should.


    =================================== CUT HERE ===================================


    Document Code: JDTT0202 - <jdenny>

    Good Password: A Practical Guide.


    Introduction.

    Since the computer was invented, people have been dealing with passwords. In
    the raise of client-server computing, people have to have to deal with
    passwords even more. We must enter a pair of user ID and password everytime
    we logon to our machine, start an application, dial to get into the Internet,
    open our mailbox, etc. This list seems never stop expanding.

    Currently, Internet business and many other transactions require a more
    stringent means than user ID and password combination. The use of digital
    certificates issued and verified by a Certificate Authority (CA) as part of a
    public key infrastructure is considered likely to become the standard way to go.
    But until all systems apply and conform to this new standard, we will still
    have to deal with passwords, i.e. choose the good ones and maintain them.


    Definitions.

    Before talking further about password, we'll need to talk about two processes
    which explain why we would need passwords in the first place: authentication
    and authorization.

    Authentication is the process of determining whether someone or something is,
    in fact, who or what it is declared to be. In private and public computer
    networks (including the Internet), authentication is commonly done through the
    use of logon passwords. Knowledge of password is assumed to be a proof of
    identification.

    Authorization is the process of giving someone permission to do or have
    something based on an access control list. This list, defined by a system
    administrator maps users to the resources of the system and what privileges
    of use (such as access to which file directories, hours of access, amount of
    allocated storage space, and so forth).

    Logically, authentication precedes authorization, although they may often seem
    to be combined in a single process.

    So, password is a secret, unspaced sequence of characters used to
    authenticate a user requesting access to a system. Typically, users of a system
    claim a unique name, his/her user ID, that can be generally known. In order to
    verify that someone entering that user ID really is that person, a second
    identification, his/her password, known only to that person and to the system
    itself, is entered by the user.


    Criteria for a Good Password.

    A password is typically somewhere between four and 16 characters, depending on
    how the system is set up. When a password is entered, the computer system is
    careful not to display the characters on the display screen, in case others
    might see it.

    Ideally, the password should be something that nobody could guess. That makes
    the password secure. But don't make it too difficult to remember. For example,
    iU81mDha is a hard to guess password. But can you remember it easily? What
    would you do if have to use that password and cannot change it to something
    else? Some people would render their password useless by writing them down on
    a sticky note on top of their monitor. This is a silly thing to do, since
    anybody could see it and misuse it.

    In practice, most people choose a simple word that is easy to remember, such as:
    - their name or their initials
    - their girl/boyfriend name
    - their child name
    - their pet name
    - "password", "secret", "system", in any language
    - blank

    This is also a silly thing to do, since anybody could guess it and again,
    misuse it.

    In short, there two important things when choosing a password: hard to guess,
    but easy to remember
    .

    General criteria for setting up password guidelines include the following:
    - Don't pick a password that is same as your user ID
    - Don't pick a password that is similar to your previous password
    - Don't pick a password that someone can easily guess if they know who you are
    (including your social security number, birthday, or maiden name)
    - Don't pick a word that can be found in the dictionary (since password cracker
    programs can easily be configured to perform dictionary attack)
    - Don't pick a word that is currently newsworthy
    - Don't pick the same password for all systems that you've been given access to
    - Do pick a word that you can easily remember
    - Do pick a mixture of letters and at least one number

    AO QuickTip from ZeroOne:
    Passwords are like underpants. Change them often enough (especially if asked
    to), use only your own ones, don't keep them visible, don't brag about them
    and remember that changing them too often is not a sin.

    Some systems even requires a stricter policy regarding password, such as:
    - Don't pick a password that has at least three same characters as your
    previous one
    - Do pick a password that starts with letters, followed by numbers, and ends
    with letters

    Some security experts also recommend the use of combination of lowercase and
    uppercase letters, and even special characters like #, $, !, etc. While it is a
    good practice to follow, be careful not to allow you easily forget your
    password because it's too complicated.

    Finally, some security policy explicitly forbid password sharing. All users must
    have and maintain their own password.


    Common Practices.

    In this tutorial, I will suggest you some common practices on how to make a
    good password.

    1. Pick an ordinary word and replace some letters with numbers.

    This is probably the most simple technique you can use to create a good
    password. Some hackers may even naturally read and write words this way.
    The idea is to replace letter in the base word with number that has similar
    look. We will start with this conversion list:
    O -> 0
    I -> 1
    Z -> 2
    E -> 3
    A -> 4
    S -> 5
    G -> 6
    J -> 7
    B -> 8

    Note that you can have your own list. The important thing is that you can
    easily do the conversion without having to look at the list. That's the
    reason why we convert letter into number with similar look.

    It's time to practice now. What's your favorite word? Let's try favorite.
    After converted, favorite becomes f4v0r1te. Well, this is good password.
    Don't you love your grandmother? Grandmother converts into 6r4ndm0ther.
    This is also a good one. Does Jessica make you crazy? Jessica turns into
    7e551c4. Wow! Easy, isn't it?

    Easy, yes. But this technique could be easy to crack. Some password cracker
    programs can be configured to crack passwords based on dictionary words then
    try to apply the conversion. As long as you use dictionary words or other
    common words, the resulted password should be immune to the converted
    dictionary attack.

    2. Pick some words and replace some with single letter/number.

    This technique is as simple as the first one. The idea is to replace word
    with letter/number that has similar sound. We will start with this
    conversion list:
    bee -> b
    see -> c
    eye -> i
    and -> n
    you -> u
    tea -> t
    why -> y
    to -> 2
    too -> 2
    for -> 4
    fore -> 4

    Again, you can have your own custom list. Just make it easy for you to
    remember.

    So, TooHardForYou becomes 2hard4u, and AndYouSeeOneTooNow becomes nuc12now.
    Or perhaps you want to be a bit more creative and make TeaForTwoPlease
    convert into t42pls?

    All passwords created with this technique are generally better than the
    previous ones, since they include more than one word. As a result, they are
    more immune to crackers (except when he/she decides to use the brute force
    attack, or even social engineering).

    You can also combine technique 1 and 2. Then ISeeYouSmile becomes icusm1le,
    and WhyCantYouSee becomes yc4ntuc. Be careful, though, not to make the
    conversion rule too complicated and hard to remember.

    3. Pick an entire line of your favorite poem or song and pull the first letter
    of every word.


    This technique is a simple variation of the previous ones. The idea is based
    on the fact that every person has his/her own favorite song and would never
    forget its lyrics.

    What's your favorite song? Well, this is the first line of "Kiss Kiss" from
    Holly Valance: "When you look at me, tell me what you see". Now, pulling the
    first letter of every word will produce wylamtmwys. Not good enough?
    Combining it with technique 1 will result in wyl4mtmwy5. That's better. Or
    do you prefer using technique 2 and make it wulamtmwuc or even wul4mtmwuc?

    4. Pick any series of characters that you like and do a keyboard mapping.

    This technique is totally different than the others. The main idea is to use
    the keyboard mapping for the conversion. Since you will always have to use
    a keyboard for entering the password anyway, why not using it to do
    on-the-fly conversion? This way you won't need to remember those conversion
    rules.

    The other idea is that on the keyboard, numbers are positioned just above
    letters. By pressing a key that are above the original key, we may get a
    number instead of a letter (typically those in the QWERTY row). Replacing
    letter with number will make a good password, right?

    By now you'd be able to easily pick a word or other series of characters as
    the base word. We will start with replacing every character in the base word
    with the character on its upperleft position on the keyboard. For example:
    Q -> 1
    W -> 2
    A -> Q
    S -> W
    N -> H
    M -> J

    As always, you can have your own rule, such as upperright mapping. The key
    thing is easy to remember.

    Let's try now. igetyourpoint becomes 8t356974098h5. imfullnow becomes
    8jr7ooh92. nomoreplease becomes h9j9430o3qw3. Yes, those are great
    passwords!


    Conclusion.

    This tutorial is actually only meant to be a starting point for us, to have a
    habit of always choosing good passwords for any systems that we need to
    access, even if it's not a critical one. Two important things that make a good
    password are hard to guess but easy to remember. Some common practices
    discussed here show us it's not that hard to make one.


    =================================== CUT HERE ===================================


    ok, 1h0peuen70yth1512. see ya again...

    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  2. #2
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    Here is the text file of the tutorial.
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    or just stare at your keyboard and randomly select 8 or more caracters... It might sometimes be harder to remember afterwords but I find that after using it just 2 to 4 times I know it pretty much by heart...

    Example of a password I'd generate on the fly and use: F2l_+ab2P

    Oh, a and a little tip for those who use multilanguage systems (like win2000 with french and english keyboard maps installed): if you use sympbols (!"/$%?&*()_+ ), try to stay with symbols where the key mapping is the same in both language, like !$%&*()_+-=
    The reason for this is easy but not always obvious until it bites you: if the loaded keyboard map isn't the one you were expecting, you could be writing the wrong password while hitting all the right keys... It can be quite frustrating...

    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Senior Member
    Join Date
    Aug 2002
    Posts
    310
    I'd say it's a decent tutorial,but I use ammo's technique.I don't have any memory problems.Just type it a few times if need be and *BOOM* commited to memory.
    [shadow]I don\'t believe in anarchy.If you\'re not smart enough to beat the system it\'s your problem. [/shadow]


  5. #5
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570
    I was wondering if (m)any of you are using some program that saves all your passwords behind one password? They usually also save the address where they're used and some free comment.
    I can quickly ( =while writing this message) think out ten places (in the internet) to where I currently have a password. Not to mention all the numerical passwords like mobile phone PIN or the door code or..

    I'm not using one but I've considered getting one. I think it wouldn't be worth it because I use several computers and I would have to keep them all synchronized. So far I've managed to remember them well enough, though sometimes I log on to some seldom used services by clicking "forgot your password?" and then retrieving it. Oh yeah, and even the user name can also be hard to remember...

    Edit/Add: Someone posted this link, Ten Windows Password Myths, here a while ago on some forum..: http://online.securityfocus.com/infocus/1554
    Comments about it? I thought it was quite OK.
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  6. #6
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949

    Smile

    Zero One... hi...... put it this way if you're looking for a good program to save all your p/w in then password safe is well worth considering......

    can be d/l from

    http://sourceforge.net/projects/passwordsafe/

    apart from the fact that it's free and is also open source, it's also verified by Bruce Schneier - more info at -

    http://www.counterpane.com/passsafe.html

    if you're interested. hope it helps.....


    Z

    PS.. and to answer your question - yep I use it.... wouldn't use any other!

  7. #7
    Member
    Join Date
    Aug 2002
    Posts
    35
    the best passwords are random ones.
    Ill THink of one when i get time.

  8. #8
    Junior Member
    Join Date
    Aug 2002
    Posts
    21
    Thanks.. i always have the hardest time chosing passwords... b/c im scared they are to easy to find out...

    but this should help out alot....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides