Secure Computing Series
Computer Password Safety
Course Author: Lynne Presley
Course Data: George Floyd, Information TechnologyLynne Presley, Training & Staff Development(Other data sources cited in text)
Course Issued: May 30, 2007
Course Credit: 30 minutes
Oracle course code: COMPI06048
Course Information
After completing this course, students will:
understand the function of passwords know what password-cracking software is understand the difference between weak and strong passwords know how to use a phrase to remember a password identify steps to protect passwords
Course Objectives
Just what is a password? It's a secret authentication that controls access to a resource. Passwords are not new technology – they have been used throughout history.
IntroductionHail Caesar! You may not enter the coliseum without
the correct password . . .
Historical Password Use
Did you know that the U.S. Marine Corps used a special code for some passwords in WWII? They recruited native Navajo speakers, who enlisted and were trained to use unrelated and truncated Navajo verbs and nouns to communicate and authenticate information among Marine units. The coded messages and passwords baffled the enemy and helped to win the war. These courageous and patriotic Marines were called "Code Talkers."
PFC Carl Gorman, Navajo Code Talker from Arizona, in action on Saipan during WWII.
Why does our agency care about passwords? It's simple – they protect the integrity of our computers and network. Any network is only as strong as the weakest link – and passwords are our agency's first defense against unauthorized access.
Network Protection
The integrity of our network depends on strong passwords. If someone gains unauthorized access, we risk losing our entire network to contamination of data, vandalism, theft, and other negative acts.
Intrusion can also affect users on a personal level - see the chart on the next slide for examples of what can happen to you if your password is stolen.
Dangers of Intrusion
Intruder tries to log onto computer
No passwordset
Guesses password
Uses passwordcracking software
Finds writtenpassword
Tricks user intodivulging password
Passworddiscovered
Snoops Blackmails Steals data, identity, and ideas Vandalizes & destroys
Anatomy of an Intrusion
Our agency is working to strengthen passwords throughout the network. Users are expected to create strong, secure passwords. As network systems and servers are upgraded, strong password creation will be enforced and access to the network may be denied if a password is weak. However, if you'll follow the suggestions in this course, you'll be ready to create strong passwords.
Access to Network
It helps to "think like a thief" to foil intrusion attempts. Thieves use software programs that attempt to "crack" passwords. These programs usually include multi-language alphabets and dictionaries.
Step I: Create a Strong Password
The programs methodically try all words in the dictionaries and combinations of words, as well as commonly-used abbreviations and acronyms. The programs also will check dates (days, years, and months). You'll have to take precautions to make your password strong enough to withstand "cracking."
Additionally, thieves may try to use personal knowledge of you to guess your password. Do not choose easy and obvious passwords, such as your name, address, nickname, car model, license plate number, the name of your pet, or any other words, numbers or dates easily identifiable with you.
Step I: Create a Strong Password
TIP: Reversing common words in a password will not make the password stronger. The password "mary" is weak and easily guessed. Reversing the password to "yram" (mary spelled backwards) does not make the password stronger – cracking software will try reversed spelling of all common words.
Use a minimum of 8 random characters
Step I: Create a Strong Password
Keeping all this in mind, when it's time to create a password, remember to include the following:
Example J'OIz#1@corThese characters are random, and can not be looked up in any dictionary.
Step I: Create a Strong Password Why is it preferable to create passwords with at least 8 random characters?
The more characters there are = the longer it takes to crack
Examine the chart on the next slide to see how fast an average personal computer can crack passwords that are created using mixed upper and lower case letters, numbers and symbols. (Chart data provided by lockdown.com.uk). As you can see, if your password contains at least 8 characters including letters, numbers, mixed cases, and symbols, the average thief will most likely go away and try to steal another, weaker password!
Length of password
Possible combinations
Time to crack
2 9,216 Instant
3 884,736 88 ½ seconds
4 85 million 2 ¼ hours
5 8 billion 9 ½ days
6 782 billion 2 ½ years
7 75 trillion 238 years
8 7.2 quadrillion 22,875 years
The chart below assumes that the password was created using mixed upper and lower case alphabet, numbers and symbols.
Use at least one case change
Step I: Create a Strong Password
Example
The letters J, O and I are in uppercase, as opposed to the other lowercase letters.
J'OIz#1@cor
Include at least one number
Step I: Create a Strong Password
Example
The number 1 is used, in combination with the other letters, punctuation and symbols.
J'OIz#1@cor
Include punctuation and special characters
Step I: Create a Strong Password
Example
The apostrophe punctuation mark is used, as well as two different characters (# and @).
J'OIz#1@cor
Do not choose a password that's the same or similar to your user name
Step I: Create a Strong Password
Example
Password:
User Name: fred.brown
If the thief does not know your user name, certain systems require that the user name be cracked, too. Making sure your password is different from your user name makes the theft more difficult. The example shown above meets this criteria, since it does not contain the user's name.
J'OIz#1@cor
Step I: Create a Strong Password
Example
TIP: You can create a strong password that's easy to remember but hard to crack by using the first letters of words in a phrase, song, or book that's familiar to you, mixed with symbols. For instance, "J'me Overstreet is number one at corrections" produced the password we've been using as an example below. (There is a detailed breakdown of how the password was produced on the next slide.)
J'OIz#1@cor
Step I: Create a Strong Password
J'O (stands for J'me Overstreet)
Iz (capital I and Z stands for is)
#1 (stands for number one)
@cor (stands for at corrections)
Phrase:"J'me Overstreet is number one at corrections"
Password breakdown:
J'OIz#1@cor
Step I: Test Your Knowledge
Is this password strong or weak?
aaaBBB111!!!Example
The password is weak. It contains only two letters in alphabetical sequence, and only one (repeated) number and punctuation mark. It wouldn't take long to crack this password, because it's not random. A truly random password means each letter, number, and symbol has an equal probability of appearing. Creating truly random sequences is difficult, but is something we should strive for. Think of it as exercise for your brain!
Step I: Test Your Knowledge
Can you guess the number one mistake many people make when creating a password?
Answer: They choose the word "password" for a password. This mistake is so prevalent that it's the first word thieves will try when trying to crack a password. Other commonly used and cracked passwords are "admin", "123", "temp", and "letmein".
Step I: Practice Creating Passwords
The PC Tools Password Generator allows you to create random passwords that are strong and difficult to crack. If your computer has Internet access, click on the link below to try this free tool. (If you receive a pop-up "Security Alert" window, click "OK" to continue.)
https://www.pctools.com/guides/password/
Step II: Protect Your Password
Creating a strong password is only the first step. Now you must protect it.
Don't put it on a yellow sticky note on your monitor or anywhere around your computer, keyboard or desk. Don't write it on your desk blotter or calendar, either. Memorize it!
Step II: Protect Your Password
Don't tell anyone else your password. When you do this, you are giving your identity and network authorization away.
From the "Believe it or Not" department:
During a poll at Waterloo Station in London conducted during the Info Security 2003 Europe conference, 90% of polled office workers divulged their passwords to the poll-taker in exchange for a cheap pen.
Step II: Protect Your Password
Be wary of people standing around your computer. Do not allow them to shoulder surf (to look over your shoulder and watch while you type in your password).
Step II: Protect Your Password
Change your password every 90 days.
Without fail.
Do it!
Step II: Protect Your Password
Never e-mail your password to anyone, and never store your password or list of passwords in a file on your computer. To do so increases the risk of having them intercepted and stolen.
Conclusion
Remember that cyber thieves don't follow the rules. They will go to great lengths to break into our computers, because they only have to find one opening to exploit our entire network. Therefore, everyone in our agency who uses a computer has an obligation to create strong, secure passwords.
Top Related