PASSWORDS AND SECURITY

PASSWORDS AND SECURITY

Security:

Security is a multi level program. It is like guarding a castle. You have a moat, tall walls and a strong gate. In a computer this is your firewall, anti-spyware and anti-virus. They keep most people out of your computer, some can slip through, usually because you let them in or are tricked into opening the door. That is where password security takes over protecting important files and personal information. Passwords are the combination lock on the vault or the key to the strong box.

Refresher – Password Usage:

These days we need a password or PIN everywhere. We have so many that we can’t keep track of them all. We forget to update them and when we do, it’s difficult to come up with effective ones that we can still remember, so we procrastinate changing them for months, even years. We all know this is bad, but the alternative – the painful, irritating password creation and memorization process – is sometimes more than we can tolerate. There is hope! Passwords don’t have to be complex cryptograms. A few simple methods can help make living with passwords a little easier.

While we may find them annoying, it is important to remember why passwords are important: passwords are often the last defense against intrusion. They protect personal information – information we don’t want anyone and everyone to know. In our personal lives, this means financial information, health data, and private documents. In a professional context, this may encompass anything considered crucial to the success of the organization: trade secrets, financial data, intellectual property, customer lists, etc.

Passwords are simpler and cheaper than other, more secure forms of authentication like special key cards, fingerprint ID machines, and retinal scanners. They provide a simple, direct means of protecting a system or account. We’ll define a ‘password’ as a word, a phrase, or combination of miscellaneous characters that authenticates the identity of the user. Passwords are generally used in combination with some form of identification, such as a username, account number, or e-mail address. While a username establishes the identity of the user for the computer or system, the password, which is known only to the authorized user, authenticates that the user is who he or she claims to be. This means that their function is to “prove to the system that you are who you say you are”.

Password Cracking:

While passwords are a vital component of system security, they can be cracked or broken relatively easily. It is much easier than most users would think. (The difference between cracking and hacking is that codes are cracked, machines are hacked.) Passwords can be cracked in a variety of different ways. The most simple is the use of a word list or dictionary program to break the password by brute force. These programs compare lists of words or character combinations against passwords until they find a match. There are also numerous password cracking tools available that any average person can use.

A more technical way of learning passwords is through sniffers, which look at the raw data transmitted across the net and decipher its contents. “A sniffer can read every keystroke sent out from your machine, including passwords” (University of Michigan). It’s possible that someone out there has at least one of your passwords right now.

How To Choose Good Passwords:

In creating strong, effective passwords it is often helpful to keep in mind some of the methods by which they may be cracked, so let’s begin with what NOT to do when choosing passwords.

1. No Dictionary Words, Proper Nouns, or Foreign Words

Since password cracking tools are very effective at processing large quantities of letter and number combinations until a match for the password is found, users should avoid using conventional words as passwords. You should also avoid regular words with numbers tacked onto the end and conventional words that are simply written backwards, such as ‘nimda’. While these may prove to be difficult for people to figure out, they are no match for the brute force attacks of password cracking tools.

2. No Personal Information

One of the frustrating things about passwords is that they need to be easy for users to remember. Naturally, this leads many users to incorporate personal information into their passwords. However, it is alarmingly easy for hackers to obtain personal information about prospective targets.

3. Length, Width and Depth

A strong, effective password requires a necessary degree of complexity. Three factors can help users to develop this complexity: length, width & depth.

Length means that longer is better. Probability dictates that the longer a password, the more difficult it will be to crack. It is generally recommended that passwords be between six and nine characters. Shorter passwords should be avoided.

Width is a way of describing the different types of characters that are used. Don’t just consider the alphabet. There are also numbers and special characters like ‘%’, and in most operating systems, upper and lower case letters are also known as different characters, particularly in passwords. As a general rule the following character sets should all be included in every password:

* uppercase letters such as A, B, C;

* lowercase letters such as a, b, c;

* numerals such as 1, 2, 3;

* special characters such as $, ?, &;

* alt characters such as µ, £, Æ.

Depth refers to choosing a password with a challenging meaning – something not easily guessable. Stop thinking in terms of passwords and start thinking in terms of phrases. “A good password is easy to remember, but hard to guess.” The purpose of a mnemonic phrase is the creation of a complex password that will not need to be written down. Examples of a mnemonic phrase may include a phrase spelled phonetically, such as ‘ImuKat!’ (instead of ‘I’m a cat!’) or the first letters of a memorable phrase such as ‘qbfjold*’ = “quick brown fox jumped over lazy dog.” What may be most effective is to convert some of those letters into other characters (substituting the number ‘3’ for the letter ‘e’ is a common example).

Extra Protection

All of the good password cracking programs include foreign words, backwards words, etc. And the easiest way to steal a password is by asking for it, so it’s simpler to never give it away. There are also certain behaviors that users should practice in order to maximize the effectiveness of their passwords. Users should avoid using the same password on multiple accounts. Doing this creates a single point of failure, which means that if an intruder gains access to one account, he or she will have access to all of the user’s accounts. Users should never disclose their passwords to anybody unless they are a known, trusted source, and then, passwords should only be disclosed in person (not over the phone or by e-mail).

Changing & Storing Passwords and PINs:

In order to ensure their ongoing effectiveness, passwords should be changed on a regular basis. Changing passwords securely is fairly simple. Windows passwords are changed through the Control Panel. If it’s an online account, don't use a public computer to change the password. If at all possible, the password should be changed over a secure connection. Don’t let anybody watch while typing the old and new passwords. Exercise extreme caution when writing down or storing passwords.

How often one should change passwords really depends on the account. Just use good judgment and don’t be lazy. Changing a password is relatively quick and painless compared to the irritating and expensive process of combating identity theft.

Much of this information is from http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices