US-CERT Cyber Security Tip ST04-002 -- Choosing and Protecting Passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           Cyber Security Tip ST04-002
                         Choosing and Protecting Passwords

   Passwords are a common form of authentication and are often the only barrier
   between a user and your personal information. There are several programs
   attackers can use to help guess or "crack" passwords, but by choosing good
   passwords and keeping them confidential, you can make it more difficult for
   an unauthorized person to access your information.

Why do you need a password?

   Think about the number of personal identification numbers (PINs), passwords,
   or passphrases you use every day: getting money from the ATM or using your
   debit card in a store, logging on to your computer or email, signing in to
   an  online bank account or shopping cart...the list seems to just keep
   getting  longer.  Keeping track of all of the number, letter, and word
   combinations may be frustrating at times, and maybe you've wondered if all
   of the fuss is worth it. After all, what attacker cares about your personal
   email account, right? Or why would someone bother with your practically
   empty bank account when there are others with much more money? Often, an
   attack is not specifically about your account but about using the access to
   your information to launch a larger attack. And while having someone gain
   access  to  your  personal email might not seem like much more than an
   inconvenience and threat to your privacy, think of the implications of an
   attacker gaining access to your social security number or your medical
   records.

   One of the best ways to protect information or physical property is to
   ensure that only authorized people have access to it. Verifying that someone
   is the person they claim to be is the next step, and this authentication
   process is even more important, and more difficult, in the cyber world.
   Passwords are the most common means of authentication, but if you don't
   choose  good  passwords  or  keep them confidential, they're almost as
   ineffective as not having any password at all. Many systems and services
   have been successfully broken into due to the use of insecure and inadequate
   passwords, and some viruses and worms have exploited systems by guessing
   weak passwords.

How do you choose a good password?

   Most people use passwords that are based on personal information and are
   easy to remember. However, that also makes it easier for an attacker to
   guess  or  "crack"  them. Consider a four-digit PIN number. Is yours a
   combination of the month, day, or year of your birthday? Or the last four
   digits of your social security number? Or your address or phone number?
   Think about how easily it is to find this information out about somebody.
   What  about  your email passwordâ??is it a word that can be found in the
   dictionary? If so, it may be susceptible to "dictionary" attacks, which
   attempt to guess passwords based on words in the dictionary.

   Although intentionally misspelling a word ("daytt" instead of "date") may
   offer some protection against dictionary attacks, an even better method is
   to rely on a series of words and use memory techniques, or mnemonics, to
   help you remember how to decode it. For example, instead of the password
   "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using
   both lowercase and capital letters adds another layer of obscurity. Your
   best  defense,  though,  is  to  use a combination of numbers, special
   characters, and both lowercase and capital letters. Change the same example
   we used above to "Il!2pBb." and see how much more complicated it has become
   just by adding numbers and special characters.

   Longer passwords are more secure than shorter ones because there are more
   characters  to  guess, so consider using passphrases when you can. For
   example, "This passwd is 4 my email!" would be a strong password because it
   has many characters and includes lowercase and capital letters, numbers, and
   special  characters.  You  may  need  to try different variations of a
   passphraseâ??many applications limit the length of passwords, and some do not
   accept spaces. Avoid common phrases, famous quotations, and song lyrics.

   Don't assume that now that you've developed a strong password you should use
   it for every system or program you log into. If an attacker does guess it,
   he  would  have  access  to all of your accounts. You should use these
   techniques to develop unique passwords for each of your accounts.

   Here is a review of tactics to use when choosing a password:
     * Don't use passwords that are based on personal information that can be
       easily accessed or guessed.
     * Don't use words that can be found in any dictionary of any language.
     * Develop a mnemonic for remembering complex passwords.
     * Use both lowercase and capital letters.
     * Use a combination of letters, numbers, and special characters.
     * Use passphrases when you can.
     * Use different passwords on different systems.

How can you protect your password?

   Now that you've chosen a password that's difficult to guess, you have to
   make sure not to leave it someplace for people to find. Writing it down and
   leaving it in your desk, next to your computer, or, worse, taped to your
   computer, is just making it easy for someone who has physical access to your
   office. Don't tell anyone your passwords, and watch for attackers trying to
   trick you through phone calls or email messages requesting that you reveal
   your passwords (see Avoiding Social Engineering and Phishing Attacks for
   more information).

   If your internet service provider (ISP) offers choices of authentication
   systems, look for ones that use Kerberos, challenge/response, or public key
   encryption  rather  than  simple passwords (see Understanding ISPs and
   Supplementing Passwords for more information). Consider challenging service
   providers that only use passwords to adopt more secure methods.

   Also, many programs offer the option of "remembering" your password, but
   these programs have varying degrees of security protecting that information.
   Some programs, such as email clients, store the information in clear text in
   a file on your computer. This means that anyone with access to your computer
   can discover all of your passwords and can gain access to your information.
   For this reason, always remember to log out when you are using a public
   computer (at the library, an internet cafe, or even a shared computer at
   your office). Other programs, such as Apple's Keychain and Palm's Secure
   Desktop, use strong encryption to protect the information. These types of
   programs may be viable options for managing your passwords if you find you
   have too many to remember.

   There's no guarantee that these techniques will prevent an attacker from
   learning your password, but they will make it more difficult.
     _________________________________________________________________

     Authors: Mindi McDowell, Jason Rafail, Shawn Hernan
     _________________________________________________________________

     Produced 2004 by US-CERT, a government organization.
  
     Terms of use
 
     <http://www.us-cert.gov/legal.html>
  
     This document can also be found at
 
     <http://www.us-cert.gov/cas/tips/ST04-002.html>
 

     For instructions on subscribing to or unsubscribing from this
     mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
     
     
    
 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBShWWOnIHljM+H4irAQKrOwf/bjxT41w/xecDeNCHQquVZsnI4KNIXRGj
X1FiG3ZwfT81InxJS429Y8FBFx6oVbGTDm2pvGmOXXYfsQSSuMwJ1qQRWErCfin+
Srmvz8YFgr1MHsVaIb/ofnRiXJzMpgZj/lkB+tXhhlGrQETdf/AmHPqViQN43zo7
7gvxMQi8Qe5o0zN0cYAWoFHXh1vLlIqdfopjMeiVdIKCxovJQwGbVqjtYrsCWeHz
YvKJ/I8rGWF7sKmGFdSsTaQv2/bJIQ2rncy+JrhucaU4Y/RjM2rKpbE2v97p609u
fWY3K7sHTtMPybXjCghqk+JY2g9I2i+IWaoPauURvqspZcE85fg6Gw==
=myeP
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux