October 17th, 2005 06:13 AM
Creating Good Passwords
We get questions all the time about what is a good password and how to create one so I put together the document in the attached zip file as guidelines for creating "good" passwords.
This document is really written for non IT people as guidance and was written as part of a review of our password policies (many users in our organisation are not real switched on as far as IT is concerned).
I thought others may be interested.
The following link also has some good stuff:
October 17th, 2005 06:46 AM
Seriously, you can't take the time to format 3 pages to match this forum?
Although it is very well written and offers good suggestions, at least have the decency to post it properly so the web sipders can index it and the rest of the world can benefit.
Not preformatiing it for the benefit of the rest of us is just rude. I would recommend you take the time to to that for your next tutorial.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError
October 18th, 2005 12:13 AM
Below is the full text in the post. I still think the file from my original post above is easier to read but if people are keen to have the text in the post then I am happy to do it.
Striek - I take your point on the search engines!
Guidelines on Constructing Passwords
Constructing a 'good' password is a very important part of ensuring data and network security. If a malicious user can get hold or 'crack' your password they can access the system with your identity and with your access rights.
A 'good' password is one that is:
1) Difficult for malicious users to guess - easy passwords to guess include dictionary words, usernames and passwords that don't contain a mixture of character types.
2) Easy for you to remember - usually something you can relate to and remember that you don't need to write down.
Many people think of these as mutually exclusive, however passwords can be both complex and quite easy to remember. Below I will show some methods that you can use for constructing complex, easy to remember passwords.
A password should, and can be forced to, meet certain complexity requirements to make it harder to crack. A password is complex if it has a mixture of character types. These character types include:
1) Special characters e.g. !@#$%^&*()? etc
2) lower-case characters e.g. abcde.....z
3) UPPERCASE characters e.g. ABCDE.....Z
4) Numerals e.g. 1234567890
The complexity of the password comes from its length, its difficulty to guess and the number of possible characters that a character could be derived from.
For example if you have a password of only lower case characters, each character can be one of 26 possible values. If you add uppercase characters it increases to 52 possible values for each character and if you add special characters you have even more possible values.
Below is a simple example of the theoretical number of attempts it would take to crack a 5 character password under the scenarios outlined above
1) lower-case only - 11,881,376 attemps
2) uppercase and lower-case - 380,204,032 attempts
3) lower-case, uppercase and special characters (based on 25 special characters) - 2,706,784,157 attempts
Password Generation methods
Method 1 - Character Substitution
Character substitution is where you take a lower-case dictionary word and substitute in special characters, numbers and uppercase letters to make them more complex. Examples of common substitutions are
1) $, S or 5 for s
2) 1, I or ! for i
3) @ or A for a
4) 7 or T for t
5) 3 or E for e
6) 9, G or 6 for g
7) 0 or O for o
8) 8 or B for b
Examples of words and associated passwords include:
1) monday - M0nD@y! (where 0 is a zero)
2) guidelines - Gu1D3l!ne5
3) important - 1mP0rt@N7?
Method 2 - Joining words with character substitution
This is where you make two separate words into one longer password. You will also need to do character substitution to ensure that the password meets complexity requirements.
internet explorer - 1nt3rN3TeXp70r3R
happy days - h@pPyD@Y$?
good boy - 60odB0y!
Method 3 - Substituting codes or words into other words
Under this method you substitute in patterns, codes or words into other words to make a stronger password. For example inserting numbers between the letters of the original word.
Examples include (original word - Pattern/Code/Word to insert - Password)
1) internet - numbers doubling eg 1,2,4,8,16 - I1n2T3e4R8n16E32t!
2) today - favourite colour Orange - t0oRd@aNyGe
3) John - favourite footy team tigers - Jt0iHgN3r$
Method 4 - Creating a password from phrases with character substitution
Another common method for constructing passwords is to take letters from the words of phrases and do character substitution from there. Phrases can be any number of things, they can be statements, locations, lines from books or movies etc. This is best explained with examples.
(Phrase - How to construct word - 'Word' Using Parts of phrase - final password with substitution)
1) To be or not to be that is the question - First letter from each word - Tbontbtitq - 7b0n7B7!7?
2) The next generation is you - First and last letter from each word - Tentgnisyu - 73n79N!$yU!
3) 45 main street - First 2 letters in word with a number between first letter of each word in capitals - Fo1Fi2Ma3St4 - Fo1F!2M@3St4
4) I drive a holden commodore now - First letter of each word with the characters of my number plate between (assume number plate is ABC 123) - iAdBaCh1c2n3 - !AdB@Ch1c2n3!
Of all these methods, method 3 and 4 are the best, there is nearly an endless amount of phrases or words you can use and an endless amount of different ways you can create passwords from those phrases or words.
Method 2 is more secure then method 1 as password crackers are becoming more aware of character substitution and include checks for common substitutions when they are trying to crack passwords (for example P@$$w0rd is a common character substitution password).
When determining your new password think of common words phrases you will remember, a method of selecting characters from those phrases, and then your method of character substitution. When it is time to change your password again you can keep the same methods for substitution and selecting characters (obviously do not tell them to anyone else) and just select a new word or phrase.