By Scott DiNitto
One time I made a log in account for someone to use on my system. We'll call her Mary. She needed to login in to my system to do some work, and so I created the user name mary with a temporary password mary123. I asked Mary to change it when she got a moment. That moment never came.
A few weeks later I found a slew of un-accounted network activity my system. My system is directly attached to the internet, firewall fully configured, and this made me very concerned. Digging in to the mystery, I discovered a program running that I had not installed or started. It was a network scanner of some sort, and it was trying to log into a list of systems referencing another list with thousands and thousands of user name/password combinations.
Someone had broke into my system, installed the scanner, and started to attack other systems! I examined the files of this program and found in the user name/password list:
mary / mary123
The scanner was designed to break in to other machines and replicate itself, and start all over again. And because I had an easily guessed password assigned to Mary, I was compromised.
The example above demonstrates that even your simple password could be compromised. Yeah, it seems like a big pain in the butt to use fancy strong passwords, but strong passwords don't have to equate to pain. To help avoid the need to pop a Percoset every time you enter a strong password, I have outlined a method to easily create one you can remember.
Password Best Practices: How To Pick A Password
If you ask a security professional the best way to form a password, you're going to get all sorts of different answers. But, there are few standard techniques you can use that I'm sure no expert would disagree with.
To demonstrate this effectively, let's start out by choosing a password. Let's use a typical simple weak password, city. Now, let's review a short list of general guidelines to test the strength of this password:
As you can see, the password city is not strong. It's under 6 characters long, there are no capital letters or numbers and it's a word found in the dictionary. It seems as though you'd have to start all over again when coming up with a new password. Don't cry yet, there are a few things you can do to strengthen this password.
Phrase The Word
One easy way to both lengthen your password and change it from one found in the dictionary is to phrase it. So, for our password city, we can expand it by adding "at night" to it, cityatnight. This now becomes eleven characters instead of four and is also not found in the dictionary. And, it's easy to remember.
Use l33t speak
Another problem with strengthening our password is how to add those non alphabetic characters and still make it memorable. One way to do this is to use leet, or l33t speak. That is, to use numbers and other characters that are similar to the regular letters. For example:
* A becomes @ * C becomes ( * E becomes 3 * S becomes $ * O becomes 0 (zero) * I or 1 becomes ! * D becomes |) * And so on...
Basically, replace any character that closely matches the real counterpart. This makes it still readable to you, but not to password crackers. So, for our password cityatnight, we can l33t it by adding some replacement characters, and perhaps a capital in there as well. This produces the following updated password:
(!ty@n!ghT
This one extra step alone has taken care of two of the other conditions for a strong password, adding numbers and some non-alphanumeric characters. We also managed to get a capital letter in there. And most important, the password is memorable.
Other Considerations: Passwords May Be Sent In Clear-Text
Clear-text is a term used to describe a string of text. This could simply be a sentence or a paragraph that hasn't been altered. It's the original form of the text, and thus readable.
You may notice when you enter a password on a web page, you never actually see the letters you're typing in. Usually, you will see asterisks in place of your letters, or round circles. Although your password remains hidden on the page itself, in almost all cases the password remains as clear-text inside the web page. When clicking "Log in", that password will be sent over the wire in a format that can be "intercepted" and read, adding a level of risk for exposing your log in information.
When text is not in clear-text, it exists in some altered format from the original, and is thus not human readable, as is the case with encrypted text. Encrypted text will use a mathematical formula to translate clear-text to a scrambled form so it's no longer human readable. This is what you hope the web site you're signing up for is doing.
The Website Always Knows Your Password
To log into a web site you've signed up for, the website itself must know your user name and password to give you access (authenticate) to their system. This password is usually stored in a database and most good web sites will never require a human to see it while authenticating you. However, the fact remains that your password is in the system, and a person with the keys to the site does have the ability to see it.
Most competent websites will not store your password in clear-text. Instead, they use an encryption algorithm to scramble it and then store the scrambled version, making it non-human readable. When you log in to a website, the website takes the password you entered and encrypts it using the same algorithm it used to store it when you signed up. The result, the scrambled passwords (the one that's stored on the web site and the one you entered to log in) can then be compared for a match.
Although the encrypted password is still a string of text, it can't be used to log in from the web page. If you use the encrypted password instead of your own to log in, it won't match as the encrypted password would be re-encrypted, which is different from the stored password.
Although it is a standard practice to encrypt passwords that are stored on a system, there's no guarantee that a website is storing them this way. It's very possible when you sign up for an account, all your information, name, address, social security number, user name, and password are stored in clear-text.
If you use the same user name and password for many sites, it then becomes possible for a system administrator to get there hands on your log in information, and try to log in to other systems with that information. Although this could be a time consuming effort to do yourself, many cracker programs easily automate this task. Be Careful With This Password!
The final thing to do with your new password is to not use it more than once! I'm sure not everyone will heed this call, I've been known to do it in the past. However, if you're going to use your new password in more than one place, I would at a minimum recommend that you slightly change it from site to site. For example, change the l33t around or the position of some of the capitals, e.g.:
(!ty@n!ghT
c!tYatN1ght
This way, you can at least have a very small level of protection if your passwords happen to be stored in clear-text. But the best bet is to not do it at all!
Scott DiNitto has been managing and developing web environments and providing system security consulting for 12 years. Scott currently runs the security-based info-site Zone260 (http://www.zone260.com)
Article Source: http://EzineArticles.com/?expert=Scott_DiNitto
http://EzineArticles.com/?How-to-Create-a-Strong-Password-You-Can-Remember&id=2175148
One time I made a log in account for someone to use on my system. We'll call her Mary. She needed to login in to my system to do some work, and so I created the user name mary with a temporary password mary123. I asked Mary to change it when she got a moment. That moment never came.
A few weeks later I found a slew of un-accounted network activity my system. My system is directly attached to the internet, firewall fully configured, and this made me very concerned. Digging in to the mystery, I discovered a program running that I had not installed or started. It was a network scanner of some sort, and it was trying to log into a list of systems referencing another list with thousands and thousands of user name/password combinations.
Someone had broke into my system, installed the scanner, and started to attack other systems! I examined the files of this program and found in the user name/password list:
mary / mary123
The scanner was designed to break in to other machines and replicate itself, and start all over again. And because I had an easily guessed password assigned to Mary, I was compromised.
The example above demonstrates that even your simple password could be compromised. Yeah, it seems like a big pain in the butt to use fancy strong passwords, but strong passwords don't have to equate to pain. To help avoid the need to pop a Percoset every time you enter a strong password, I have outlined a method to easily create one you can remember.
Password Best Practices: How To Pick A Password
If you ask a security professional the best way to form a password, you're going to get all sorts of different answers. But, there are few standard techniques you can use that I'm sure no expert would disagree with.
To demonstrate this effectively, let's start out by choosing a password. Let's use a typical simple weak password, city. Now, let's review a short list of general guidelines to test the strength of this password:
- Make sure your password is at least 6 characters long
- Make sure your password contains at least 2 non-alphabetical characters, such as 0-9, or two non-alphanumeric characters, such as #, % or &
- Make sure your password contains at least one capital letter
- Make sure your password is not a dictionary-based word
- Make sure your password is not your name followed by 123, e.g. mary123
- Don't use your husband's, wife's, or children's names for that matter
As you can see, the password city is not strong. It's under 6 characters long, there are no capital letters or numbers and it's a word found in the dictionary. It seems as though you'd have to start all over again when coming up with a new password. Don't cry yet, there are a few things you can do to strengthen this password.
Phrase The Word
One easy way to both lengthen your password and change it from one found in the dictionary is to phrase it. So, for our password city, we can expand it by adding "at night" to it, cityatnight. This now becomes eleven characters instead of four and is also not found in the dictionary. And, it's easy to remember.
Use l33t speak
Another problem with strengthening our password is how to add those non alphabetic characters and still make it memorable. One way to do this is to use leet, or l33t speak. That is, to use numbers and other characters that are similar to the regular letters. For example:
* A becomes @ * C becomes ( * E becomes 3 * S becomes $ * O becomes 0 (zero) * I or 1 becomes ! * D becomes |) * And so on...
Basically, replace any character that closely matches the real counterpart. This makes it still readable to you, but not to password crackers. So, for our password cityatnight, we can l33t it by adding some replacement characters, and perhaps a capital in there as well. This produces the following updated password:
(!ty@n!ghT
This one extra step alone has taken care of two of the other conditions for a strong password, adding numbers and some non-alphanumeric characters. We also managed to get a capital letter in there. And most important, the password is memorable.
Other Considerations: Passwords May Be Sent In Clear-Text
Clear-text is a term used to describe a string of text. This could simply be a sentence or a paragraph that hasn't been altered. It's the original form of the text, and thus readable.
You may notice when you enter a password on a web page, you never actually see the letters you're typing in. Usually, you will see asterisks in place of your letters, or round circles. Although your password remains hidden on the page itself, in almost all cases the password remains as clear-text inside the web page. When clicking "Log in", that password will be sent over the wire in a format that can be "intercepted" and read, adding a level of risk for exposing your log in information.
When text is not in clear-text, it exists in some altered format from the original, and is thus not human readable, as is the case with encrypted text. Encrypted text will use a mathematical formula to translate clear-text to a scrambled form so it's no longer human readable. This is what you hope the web site you're signing up for is doing.
The Website Always Knows Your Password
To log into a web site you've signed up for, the website itself must know your user name and password to give you access (authenticate) to their system. This password is usually stored in a database and most good web sites will never require a human to see it while authenticating you. However, the fact remains that your password is in the system, and a person with the keys to the site does have the ability to see it.
Most competent websites will not store your password in clear-text. Instead, they use an encryption algorithm to scramble it and then store the scrambled version, making it non-human readable. When you log in to a website, the website takes the password you entered and encrypts it using the same algorithm it used to store it when you signed up. The result, the scrambled passwords (the one that's stored on the web site and the one you entered to log in) can then be compared for a match.
Although the encrypted password is still a string of text, it can't be used to log in from the web page. If you use the encrypted password instead of your own to log in, it won't match as the encrypted password would be re-encrypted, which is different from the stored password.
Although it is a standard practice to encrypt passwords that are stored on a system, there's no guarantee that a website is storing them this way. It's very possible when you sign up for an account, all your information, name, address, social security number, user name, and password are stored in clear-text.
If you use the same user name and password for many sites, it then becomes possible for a system administrator to get there hands on your log in information, and try to log in to other systems with that information. Although this could be a time consuming effort to do yourself, many cracker programs easily automate this task. Be Careful With This Password!
The final thing to do with your new password is to not use it more than once! I'm sure not everyone will heed this call, I've been known to do it in the past. However, if you're going to use your new password in more than one place, I would at a minimum recommend that you slightly change it from site to site. For example, change the l33t around or the position of some of the capitals, e.g.:
(!ty@n!ghT
c!tYatN1ght
This way, you can at least have a very small level of protection if your passwords happen to be stored in clear-text. But the best bet is to not do it at all!
Scott DiNitto has been managing and developing web environments and providing system security consulting for 12 years. Scott currently runs the security-based info-site Zone260 (http://www.zone260.com)
Article Source: http://EzineArticles.com/?expert=Scott_DiNitto
http://EzineArticles.com/?How-to-Create-a-Strong-Password-You-Can-Remember&id=2175148
0 comments:
Post a Comment