Secure Passwords Tutorial
Results 1 to 6 of 6

Thread: Secure Passwords Tutorial

  1. #1

    Secure Passwords Tutorial

    Secure Passwords Tutorial

    This tutorial was designed as a guideline for choosing good passwords for computer users. Password security is a very important thing that many people overlook. You usually think about a password as a tiny thing that protects your hotmail account. But what about your online banking, where you credit card number is, or your eBay account? Anywhere you use a password, it is critical that itís a strong password. Password cracking has evolved a lot, there are now very many password crackers available to anyone to download for free, and most users fell back in time on making secure passwords. So whether itís protecting your computer, or online accounts, it has to be a strong password in order for your information to be safe.

    What Not To Use
    Many users use in their passwords things from personal life, such as:
    >>names
    >>birthdays
    >>dates
    Do not use this, under any circumstances. These things can be easily guessed, and more easily cracked. Never use obvious things from your life, such as names, birthdays or other dates. Anyone who knows you a bit can easily guess your password. Password crackers have all the names, and can try hundred of number combinations very fast. Never use these things in your password.

    Password Generators
    Password generators do indeed create strong passwords, but they have other flaws. The passwords that they spit out are hard to remember, and take long to type. They are also vulnerable against the password-generating algorithm, which some password crackers might use in order to reverse the decrypting process.

    The Longer The Password, the Better
    In the old days, the characters in a password of an NT box were limited to 14. Today, Windows 2000 and Windows XP allow up to 127 characters as a password. The longer your password, the longer it will take to crack. One thing that was discovered is that if you make a password in Windows longer than 15 characters, Windows does not store the LanMan hash properly. This protects you against brute force attacks of password crackers.

    Make Use Of Characters/Symbols
    In order to make a strong password, itís recommended that you use all types of characters and symbols.

    >>Lower Case Ė a,b,c,d
    >>Upper Case Ė A,B,C,D
    >>Symbols - @,#,$,%,^,
    >>Numerals Ė 1,2,3,4
    >>Alt Characters Ė ¬, Ä Alt Characters Table

    It is highly recommended to use a combination of these characters, numerals and symbols. If you donít want to use the Alt Characters, use upper and lower case, numerals and symbols, which will create a strong password, and make it hard for password crackers to break it. One interesting example could be NeonWizard20@email.com While this might seem unusual to you, this password uses upper/lower case characters, numerals, and symbols. When I put it in a Password Strength Meter, it showed me that it is a very strong password. However, make sure you donít use your real email address. This kind of type is only an example. It uses all the characters and symbols; itís easy to remember, hard for password crackers to break, and no one could even think of guessing it.

    Using Space
    Passwords in Windows 2000 & XP can use space. It is not recommended to use space at the beginning or at the end of the password. The other downside of it is the sound that the keyboard makes when your press the space bar, and someone can easily tell that you pressed space on your keyboard.

    Inversed Words
    Some people think itís good to write a word inversed. Such as admin, could come nimda. Password crackers will try to reverse all the words, so itís not a good idea to write inversed words. Itís still easy to crack a normal word, even if itís inversed.

    Using Different Passwords For Different Accounts
    Why donít all the doors on your street use the same key? Because your neighbours donít want you in their house. Itís the same with you. If someone breaks or finds out a password, you donít want them snooping at your other accounts, such as online banking. Thatís why itís recommended that you use different passwords for different accounts. I donít mean use a different password for every account, but use one for your email and forums, and a different one for banking. But surely, please use a different one for important stuff such as banking, online shopping, or anything that has your credit card number in the account. If someone is after you, theyíll likely to try to break your email account first. If they find out that, they will try the same password for your other accounts too. In the end, you decide how you want to divide your accounts and passwords, likely due to how paranoid you are.

    Writing Down Passwords
    If you want to write down passwords, for whatever reason, make sure you keep them locked somewhere, in a safe if possible. Under no circumstances are they to be left on Post It notes, and pieces of papers in your desk. The room/office where your computer is located will be the first place that someone who breaks in will look for a written password. One reason that you might want to write down the password of the admin is in case he quits, so you can have access to the network. But if you do write it down, make sure itís locked properly.

    Public/Office Physical Security
    Another issue is keeping your password safe in a public/office workspace. People that walk by could peek at your keyboard while youíre typing. Also, people who sit besides you could peek over at your keyboard. It happens in an environment where are many persons, and getting your password can be as easy as seeing what the person is typing. Thatís why you need to be familiar with your password. If you are, you can type it very fast, and even someone who is looking at your keyboard very close couldnít tell everything that you typed. Make sure no one stops behind your back, and if you are sitting close to someone, type the password fast and donít let them see the keyboard. Some people arenít even ashamed to look at your keyboard while typing the password.

    Convenience Over Security
    Many people donít even put passwords on their home computers. I can understand this, because every time you boot up you have to type the password. If you just let the system boot up without any logging on, itís easier. But what if someone breaks into your house, and steals it? Itís going to be very easy for that person to get all your personal info. But putting passwords on people who travel with a laptop is a must. Laptop theft, and misplace happens a lot, and the first thing someone does after they get your computer is try to crack the password. I think that most laptops today come with tracking devices, and if your password is secure, it could take weeks if not months for a password cracker to break it. This could mean that your laptop could be recovered before they broke your password.


    Password Crackers
    Eventually, any password can be cracked. But the amount of time it takes to crack a password depends only on how good the password is. If itís a hard one, it could take weeks, and eventually, whoever is trying to crack it, will probably give up after a couple of hours. Password crackers are not sci-fi, as some people would think. Password crackers use world lists, brute force attacks, or both at the same time. Word lists is exactly what the name says, a very long list of words, which are combined in different methods in order to crack the password. Brute force attacks simple make every possible combination of characters and numerals, until it finds the password. Brute force attacks are very slow, but eventually, they will find the right combination. Probably the most well known password cracker is John The Ripper.

    Resetting Passwords
    A thing that is widely overlooked by people is the ability to reset passwords. This is probably the easiest way to ďbreakĒ someoneís password. Itís very simple, and even if you do have a strong password, anyone who knows you a bit can easily reset the password, make one of his or her own and take over your account. It can be done so quickly, here are the steps on how easy you can reset a Hotmail password. So you enter the email address, and type some bogus password. Then it tells you the password is wrong, and you want to reset it. You pick the country, and then you pick the state. Pretty easy if you know someoneís password. There are hundreds of free online directories, such as White Pages and Yellow Pages, so type the name, and you easily get the zip code. This is for US, because if youíre trying to reset someoneís password that lives in Canada, it doesnít even ask you for a zip code. Here comes the part that really matters. How hard is the secret question and how hard is it to answer? Some of the secret questions are:
    >>Favorite petís name
    >>Favorite Movie
    >>Aniversary
    >>Fatherís Middle Name
    >>Spouseís Middle Name
    >>First Childís Middle Name
    >>High School Name
    >>Favorite Teacherís Name
    >>Favorite Sports Team

    If you know somebody, even just a bit, you probably know the answer to these questions. So please, after you made your account, change the secret question and the answer. Donít make it easy and take it for granted, because probably the first way someone will try to get your password is by resetting it. Make the answer and the question difficult. One good question that I came across when I was trying to reset someoneís password was: ďOnce upon of timeĒ now this may sound like a fairy tale, but I really got no idea what to type. There could be a thousand of answers to that. So, if you really care about your password being strong, make sure you make a good secret question and answer. And this is not just for Hotmail, but many other online services use this resetting method, extremely flawless if not used properly.

    The Importance of Logging Out
    Another thing that can be used to take over oneís account, no matter how strong the password might be, is forgetting to log out from accounts when using a public computer. Some browsers do log you out automatically when you close it, but others donít. So please, if you do use a public computer, always log out from all your accounts.


    Finding Passwords
    Even if you do have a strong password, it can still be found in other ways, if youíre not careful. Social engineering, the nice way to ask for someoneís password is one of them. This is for those 70% of people that would reveal their password for a chocolate bar, as a study conducted this year shows. Donít give the password to anyone, for whatever they got. Donít give it to your parents, friends, girlfriends, wives, or no one else. If there is a real problem, the system administrator will probably come to you and ask for it. Another way to get a password is through key loggers. Be careful that you donít have one installed on the computer. Make spyware and virus checks often.

    Conclusion
    The best password is one that you can come up on your own with, not one thatís spit out by a password generator. You must be familiarized with it, so you can type it fast, in case anyone is peeking over at your keyboard. A good password contains upper/lower case characters, numerals, and symbols. Also, it has to be long, 15 characters if possible. Only you can decide what the best password is for you. If youíd like to test the strength of it, please use the Password Strength Meter , or install a password cracker on your system to see how long it takes to figure out the password.
    Neon Security

    It\'s time to put an end to malicious code & black hat hackers - Use a firewall and anti virus!

  2. #2
    are you the same guy as from security-forums.com? that's where i've seen this tutorial today too...

    b.t.w., i don't think there is anything wrong with a password generator, it generators a password, you remember it, works like a charm, especially when you need to change you password often to keep it save, it might be more usefull then coming up with one yourself (people have the tendency to use the same password again after a couple of times).

    but for the rest i totally agree with you nice tutorial!

  3. #3
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    are you the same guy as from security-forums.com? that's where i've seen this tutorial today too...
    ?? Link please ??
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  4. #4
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    When death sleeps it dreams of you...

  5. #5
    Yes, it's the same tutorial made by me.
    Neon Security

    It\'s time to put an end to malicious code & black hat hackers - Use a firewall and anti virus!

  6. #6
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Thats cool, but you should provide a link or even just a note at the bottom that states that it has been posted on another site also. And of course, that it was you that posted it. Then if someone runs accross it on anouther site it won't look like you or someone else plaguerized someone elses work.

    It is a good tutorial, as I said in my AP assignment.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •