- Posts:
- 1,175
- Group:
- Full Members
- Member
- #8
- Joined:
- December 15, 2004
|
Following a security problem on another board I am involved in I think it sensible to reproduce a post I put there. This post is initially directed at all the mods and admins on here, but it won't hurt for ALL members to refresh your passwords too.
This guide to choosing a secure password is reproduced with kind permission from the original author - Mez (Glocal Support Moderator on the Invisonfree Support Board), for the original article go HERE
It is essential that you choose good, secure passwords. However, it may not be obvious to you what constitutes a secure password. These are some tips to help you choose a good password.
If you read nothing else, read this.
Passwords should be:
- at least 7-8 characters long — longer is better
- composed of three of these character classes:
- lower-case letters: abcd...
- upper-case letters: ABCD...
- numeric: 1234...
- non-alphanumeric: !@#$<,"...
If your password is so complex that you need to write it down, choose another one.
Why worry about passwords?
A significant percentage of "hacked" boards can be traced to a poorly chosen password. Passwords are therefore among the most crucial — and most often exploited — aspects of computer security. One bad password can potentially compromise an entire system's security. If a user's password is discovered, an attacker can lurk around for months posing as that user and probing other security weaknesses at leisure, for example, deleting your board
What's a poor password?
An easily cracked password has one or more of the following characteristics. Do not use any of the following in your password:
- a password that you have shared with someone else.
Never tell anyone your password! No exceptions. System administrators do not need your password; they can access your account without it. If someone asks for your password, assume it's an attempt to break into your board — report this to a member of staff immediately;
- a dictionary word
If you can find it in a dictionary of any language, don't use it. Attackers trying to break into a system use computer programs that sniff out poor passwords. One of the first things that these programs do is try dictionary words — and they have access to dictionaries for all sorts of languages, so don't think you're safe by using German, Akkadian, or Farsi;
- your name or the name of your spouse, child, pet, boss or anyone.
Do not use names in any form;
- your board username or the username of anyone on the board;
- anything that can be found out about you
The street or city where you live, your birthday, license plate number, your social security number, your phone number, the first line of your favorite song, your favorite quotation, etc.;
- anyone's birthday;
- movie or song titles;
- password composed of all digits or all letters;
- dictionary words in which the letter "l" has been replaced with the number "1", or "E" with "3" (e.g. e1ephant or 3l3phant);
- a word to which a single digit has been appended or prepended (e.g. bookworm5 or 5bookworm);
- the name of your board;
- clever-seeming "magic words" from computer games (e.g. xyzzy);
- simple keyboard patterns like qwerty;
- any of the passwords that are used as examples on this page or anywhere else;
- any of the above spelled backwards;
- passwords that are written down on a note kept under your keyboard or in your desk, or are kept in a file on your computer (including email);
- a password that has never been changed or has not been changed in several months;
- a password that you have used before.
What's a good password?
Good passwords:
- must be at least 7 or 8 characters long — longer is better;
- have both uppercase and lowercase letters;
- also have digits and/or punctuation (this includes !@#$%^&*()_-+=[]{}:;'"\|<>,.?/, although your board may restrict some of these characters);
- must not appear systematic (e.g. abc123);
- are easy to remember, so they don't need to be written down;
- are only used on one board
- are never shared with anyone;
- are changed frequently (at least every 90 days, preferably more often).
How do I choose a good password?
Although the above restrictions may seem intimidating, choosing a password can be easy.
1. You could do something simple like picking two words, splitting them into non-dictionary words, and adding a number and other characters to the middle:
- Quote:
-
"wonderful morning" becomes "Wo58*Ng" (note that at least one letter is capitalized).
2. Another method is to use a sentence like:
- Quote:
-
I bought 3 sandwiches for lunch today, George
and turn it into a password such as:
- Quote:
-
Ib3s4l2d,G
using the first letter of each word, substituting numbers for words when possible (2d = today). This looks like a gobbledegook password — which is good, because it's hard to crack.
3. Another good system is keyboard patterns — type out a pattern on your keyboard (being sure to use numbers and the shift key occasionally). Be careful not to use simple patterns like qwerty!
4. If you have access to more than one board, you should use a different password on each one. Do not use your login password as the password on any other board. This might seem difficult, but you might simply modify a base password on each board you access.
For example, on a board called isis, the base Ib3s4l2d,G could be modified to Ib3s4l2d,Gi, while on a board called metro1 the password could be changed to Ib3s4l2d,Gm.
Obviously, because this method has now been published, you should choose another system for varying your passwords.
Once you choose a secure password, never share it with anyone, not even a system administrator.
Finally, if you absolutely must write down your password, follow a few basic precautions:
- don't write it down — choose another password, one that's easy to remember;
- don't identify your password as being a password;
- don't write down the name of the system for which it is a password;
- don't write it on a note that you keep under your keyboard or anywhere near your computer;
- instead of writing the actual password, try to disguise it. For example, if your password is Wo58*Ng, write gWo58*N. Again, you should choose a system more complex than this, now that this has been published for the world to see.
- don't write it down. Really.
This should be enough to give you a good start. If you have any questions, feel free to ask me
|
![]](http://209.85.122.87/static/1/pip_r.png)
6:28 PM Nov 25
