|
-
August 15th, 2002, 01:24 PM
#1
 Good Password: A Practical Guide to Make One
hi all. thanks to those who have appreciated my previous tut. i did spend some
time to make it understandable in one pass* and quote any links i refer.
that's probably something you won't find at plain google.
*) usually a compiler read (and process) a source program in multiple passes
before eventually produce the actual binary. a typical compilation consists of
at least two passes, scanning (grouping series of characters into tokens) and
parsing (grouping series of tokens into program structures).
background: in this tut, we'll talk about how to make a good password. yeah,
actually i was gonna start a poll on what kind of words that people tend to
choose for their password. but as ao newbie, i guess i could be suspected for
trying to crack some system... ;-) here, again, i try to avoid to talk about
technical issues. just let me focus on people: how people choose their
passwords, and more important, how they should.
=================================== CUT HERE ===================================
Document Code: JDTT0202 - <jdenny>
Good Password: A Practical Guide.
Introduction.
Since the computer was invented, people have been dealing with passwords. In
the raise of client-server computing, people have to have to deal with
passwords even more. We must enter a pair of user ID and password everytime
we logon to our machine, start an application, dial to get into the Internet,
open our mailbox, etc. This list seems never stop expanding.
Currently, Internet business and many other transactions require a more
stringent means than user ID and password combination. The use of digital
certificates issued and verified by a Certificate Authority (CA) as part of a
public key infrastructure is considered likely to become the standard way to go.
But until all systems apply and conform to this new standard, we will still
have to deal with passwords, i.e. choose the good ones and maintain them.
Definitions.
Before talking further about password, we'll need to talk about two processes
which explain why we would need passwords in the first place: authentication
and authorization.
Authentication is the process of determining whether someone or something is,
in fact, who or what it is declared to be. In private and public computer
networks (including the Internet), authentication is commonly done through the
use of logon passwords. Knowledge of password is assumed to be a proof of
identification.
Authorization is the process of giving someone permission to do or have
something based on an access control list. This list, defined by a system
administrator maps users to the resources of the system and what privileges
of use (such as access to which file directories, hours of access, amount of
allocated storage space, and so forth).
Logically, authentication precedes authorization, although they may often seem
to be combined in a single process.
So, password is a secret, unspaced sequence of characters used to
authenticate a user requesting access to a system. Typically, users of a system
claim a unique name, his/her user ID, that can be generally known. In order to
verify that someone entering that user ID really is that person, a second
identification, his/her password, known only to that person and to the system
itself, is entered by the user.
Criteria for a Good Password.
A password is typically somewhere between four and 16 characters, depending on
how the system is set up. When a password is entered, the computer system is
careful not to display the characters on the display screen, in case others
might see it.
Ideally, the password should be something that nobody could guess. That makes
the password secure. But don't make it too difficult to remember. For example,
iU81mDha is a hard to guess password. But can you remember it easily? What
would you do if have to use that password and cannot change it to something
else? Some people would render their password useless by writing them down on
a sticky note on top of their monitor. This is a silly thing to do, since
anybody could see it and misuse it.
In practice, most people choose a simple word that is easy to remember, such as:
- their name or their initials
- their girl/boyfriend name
- their child name
- their pet name
- "password", "secret", "system", in any language
- blank
This is also a silly thing to do, since anybody could guess it and again,
misuse it.
In short, there two important things when choosing a password: hard to guess,
but easy to remember.
General criteria for setting up password guidelines include the following:
- Don't pick a password that is same as your user ID
- Don't pick a password that is similar to your previous password
- Don't pick a password that someone can easily guess if they know who you are
(including your social security number, birthday, or maiden name)
- Don't pick a word that can be found in the dictionary (since password cracker
programs can easily be configured to perform dictionary attack)
- Don't pick a word that is currently newsworthy
- Don't pick the same password for all systems that you've been given access to
- Do pick a word that you can easily remember
- Do pick a mixture of letters and at least one number
AO QuickTip from ZeroOne:
Passwords are like underpants. Change them often enough (especially if asked
to), use only your own ones, don't keep them visible, don't brag about them
and remember that changing them too often is not a sin.
Some systems even requires a stricter policy regarding password, such as:
- Don't pick a password that has at least three same characters as your
previous one
- Do pick a password that starts with letters, followed by numbers, and ends
with letters
Some security experts also recommend the use of combination of lowercase and
uppercase letters, and even special characters like #, $, !, etc. While it is a
good practice to follow, be careful not to allow you easily forget your
password because it's too complicated.
Finally, some security policy explicitly forbid password sharing. All users must
have and maintain their own password.
Common Practices.
In this tutorial, I will suggest you some common practices on how to make a
good password.
1. Pick an ordinary word and replace some letters with numbers.
This is probably the most simple technique you can use to create a good
password. Some hackers may even naturally read and write words this way.
The idea is to replace letter in the base word with number that has similar
look. We will start with this conversion list:
O -> 0
I -> 1
Z -> 2
E -> 3
A -> 4
S -> 5
G -> 6
J -> 7
B -> 8
Note that you can have your own list. The important thing is that you can
easily do the conversion without having to look at the list. That's the
reason why we convert letter into number with similar look.
It's time to practice now. What's your favorite word? Let's try favorite.
After converted, favorite becomes f4v0r1te. Well, this is good password.
Don't you love your grandmother? Grandmother converts into 6r4ndm0ther.
This is also a good one. Does Jessica make you crazy? Jessica turns into
7e551c4. Wow! Easy, isn't it?
Easy, yes. But this technique could be easy to crack. Some password cracker
programs can be configured to crack passwords based on dictionary words then
try to apply the conversion. As long as you use dictionary words or other
common words, the resulted password should be immune to the converted
dictionary attack.
2. Pick some words and replace some with single letter/number.
This technique is as simple as the first one. The idea is to replace word
with letter/number that has similar sound. We will start with this
conversion list:
bee -> b
see -> c
eye -> i
and -> n
you -> u
tea -> t
why -> y
to -> 2
too -> 2
for -> 4
fore -> 4
Again, you can have your own custom list. Just make it easy for you to
remember.
So, TooHardForYou becomes 2hard4u, and AndYouSeeOneTooNow becomes nuc12now.
Or perhaps you want to be a bit more creative and make TeaForTwoPlease
convert into t42pls?
All passwords created with this technique are generally better than the
previous ones, since they include more than one word. As a result, they are
more immune to crackers (except when he/she decides to use the brute force
attack, or even social engineering).
You can also combine technique 1 and 2. Then ISeeYouSmile becomes icusm1le,
and WhyCantYouSee becomes yc4ntuc. Be careful, though, not to make the
conversion rule too complicated and hard to remember.
3. Pick an entire line of your favorite poem or song and pull the first letter
of every word.
This technique is a simple variation of the previous ones. The idea is based
on the fact that every person has his/her own favorite song and would never
forget its lyrics.
What's your favorite song? Well, this is the first line of "Kiss Kiss" from
Holly Valance: "When you look at me, tell me what you see". Now, pulling the
first letter of every word will produce wylamtmwys. Not good enough?
Combining it with technique 1 will result in wyl4mtmwy5. That's better. Or
do you prefer using technique 2 and make it wulamtmwuc or even wul4mtmwuc?
4. Pick any series of characters that you like and do a keyboard mapping.
This technique is totally different than the others. The main idea is to use
the keyboard mapping for the conversion. Since you will always have to use
a keyboard for entering the password anyway, why not using it to do
on-the-fly conversion? This way you won't need to remember those conversion
rules.
The other idea is that on the keyboard, numbers are positioned just above
letters. By pressing a key that are above the original key, we may get a
number instead of a letter (typically those in the QWERTY row). Replacing
letter with number will make a good password, right?
By now you'd be able to easily pick a word or other series of characters as
the base word. We will start with replacing every character in the base word
with the character on its upperleft position on the keyboard. For example:
Q -> 1
W -> 2
A -> Q
S -> W
N -> H
M -> J
As always, you can have your own rule, such as upperright mapping. The key
thing is easy to remember.
Let's try now. igetyourpoint becomes 8t356974098h5. imfullnow becomes
8jr7ooh92. nomoreplease becomes h9j9430o3qw3. Yes, those are great
passwords!
Conclusion.
This tutorial is actually only meant to be a starting point for us, to have a
habit of always choosing good passwords for any systems that we need to
access, even if it's not a critical one. Two important things that make a good
password are hard to guess but easy to remember. Some common practices
discussed here show us it's not that hard to make one.
=================================== CUT HERE ===================================
ok, 1h0peuen70yth1512. see ya again...
<jdenny>
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote