shadow
Home | Support | Contact Us
shadow
   
NEWS

Can hackers guess your password?

Password strategies that work!

2009-11-30

It’s good practice to avoid the following common strategies when deciding on a password.3 We’re referring here to using these approaches for single, fairly short passwords. Some of them are acceptable in combination with obfuscation techniques such as interleaving one word with another and using the resulting token (or string of characters) to form one element of a long passphrase, but we’ll get back to that shortly. These techniques are intended to reduce the risk of your password or passphrase being discovered either by guesswork from someone who knows something about you, or by an automated dictionary attack, where software is used to go through a long list of words and character combinations, trying each one as a password. Some Trojans use comparatively short, generic lists of commonly used passwords such as “aaaaa,” “password,” “qwertyuiop,” “StarTrek,” “mypassword,” “123456.” If you don’t believe that such stereotypical passwords represent a significant problem, check out “The Top 500 Worst Passwords of All Time” at http://www.whatsmypass.com/?p=415. We can’t confirm the exact ranking, but we’ve certainly seen very many of these used in real life. Table 1 shows the top 10, according to the site.

Table 1: The 10 Most-Used Passwords

1

123456

2

password

3

12345678

4

1234

5

pussy

6

12345

7

dragon

8

qwerty

9

696969

10

mustang

At the other extreme, a dictionary attack may use not only common “strings” of characters like these but lists of hundreds of thousands of real words. This may strike you as being a little over the top for capturing your Twitter credentials. However, modern computer systems are fast enough to carry out an automated attack like this far more quickly than you might think.

Here are some approaches best avoided:

  • Any correctly spelled English word, especially one which is likely to be recognized by operating system or application spell-checkers and so on. Using regional spellings, such as those from the UK, is unlikely to offer any extra protection.
  • Any correctly spelled non-English word; exceptions may be a little more acceptable in obscure languages as long as they’re not in languages you’re “known” to speak, but you are still at risk from dictionary attacks that use long, multi-language word lists.
  • Any part of your own name or username, let alone a duplication of your username (this is called a “Joe” account, and it’s one of the first things a password cracker (human or automated) looks for when it comes to trying to guess a password).
  • Any part of the name of a member of your extended family (including pets) or, worse, a colleague, your boss, or, in fact, anyone’s name. Place names are often easily guessed, whether because of an obvious link to you (if you live in Springfield, Springfield is definitely not a good password choice, for instance), or because word lists used in dictionary attacks are likely to contain common place names.
  • The name of the operating system you’re using (or accessing remotely), or the name of the PC you’re using, or the name of the service you’re accessing, or the hostname of a server you’re accessing. Well, you get the idea.
  • Personally significant numbers (phone number, car license number, National Insurance or Social Security Number, someone’s birthdate — save them for picking lottery numbers).
  • Your favorite or most-hated objects, food, movies, TV programs.
  • Easy associations with favorite or most-hated things; for instance, “Swan_Lake” may not be a good password for a ballet fan.
  • Song, book and movie titles, famous people, cartoon characters, etc. Particularly not recommended are ‘CharlieBrown,’ ‘Snoopy,’ ‘Kirk,’ ‘Spock,’ ‘Homer,’ ‘Garfield,’ ‘Dilbert,’ ‘Grissom,’ ‘Oprah’...
  • Anything so unmemorable you have to write it down, unless you take reasonable precautions to protect the paper you write it on.

o   A Post-It on your keyboard or monitor is not a reasonable precaution, unless you work in a room that can’t be accessed by other people.

o   Nor is a piece of paper taped to the CD or USB device it’s intended to give access to.

o   A piece of paper in your wallet or laptop bag is vulnerable to loss or theft. At the very least, take measures to avoid its being easily identified as a password, and don’t make it obvious which system/file/account it refers to. Don’t write down the actual password; use a mnemonic device or some means of disguising it such as scrambling and interleaving letters.3

  • Anything that is all uppercase or lowercase (unless the system is case insensitive!).
  • Anything with the first or last character uppercase and the rest lowercase, unless it’s a really tricky passphrase.
  • Any example passphrase you’ve come across as in a textbook or an ESET white paper or blog.
  • Any short passphrase consisting of a single word (system permitting — some systems actually severely limit the range of characters you can use).
  • Anything consisting entirely of letters of the alphabet (system permitting).
  • Obvious anagrams of any of the above, especially simple reversals.
  • Obvious variations such as appending or prepending a digit to one of the above or an anagram thereof, or obvious substitutions of digits for letters: “pa55w0rd,” for example.
  • Reusing passwords can be really bad news. You don’t want to use the same password for your computer logon as for your bank. Important information should be protected with unique and strong passwords.

 

This has been a excerpt from the website: http://www.eset.com/download/whitepapers/EsetWP-KeepingSecrets20090814.pdf

 
Solutions | News | Support | Partners | About Aperio | Contact Us
All Content Copyright 1006, 2007, 2008 Aperio, Inc. | www.Aperio.cc | Privacy Policy
 
botleft footer botright