Saturday, June 10, 2006

TecH: Quick and EASY Password Security in BRIEF!

Standard Password Security in Brief (or SPSIB)

Synopsis: This document will discuss best security procedures in the briefest possible space.
Here are my BRIEFEST (I could go into pages of details!) instructions to create a secure password! To make these brief, I will (end)note the reasons, so you don’t have to read it, unless you WANT to learn.

Bad Passwords:

Birthdays, spouse/children’s names, pet names, Social Security #’s. Other things associated with you (your name by itself is the WORST password ever created! Common words are also bad passwords(1). Experienced Administrators can find these bad passwords!(2)

Good Passwords:

Good Passwords have one thing in common. They make it very difficult to guess (or hack) your account. Good passwords can be created several ways. Adding a number (and/or) a non-alphabetic character(3)to a (pass)word is even better.

Best Passwords:

Here’s a secret. The best passwords are never a word. They are an abbreviation of some common phrase or word pattern. OR IN OTHER WORDS, a PASSPHRASE(4)

PassPhrase Example 1:

See the title of this document. (SPSIB) Remember it stands for "Standard Password Security in Brief"

Letter->Number substitution:

While we’re on the subject of best practices for passwords here’s another method to make your password ABSOLUTELY guess-proof! Take a letter in your passphrase and substitute it for a number(5).
Here are some very common letter ->number substitutions that I’ve used in the past. Note, that I ALWAYS make sure all of MY passwords are LOWER case. It’s just easier for me because I am lazy.

table 1 Some letter substitutions I've used in the past:
Now. Feel free to make your OWN substitutions. Now that we have this substitution table, let’s pretend we will always change the letter S (in my chart, with a “~”(6)). This gives us:

Pass Phrase Example 2:

Our pass phrase becomes SPSIB. Since our password has Two "S"’s we have a decision.
Idea one : replace EVERY S with a ~ gives us: ~P~IB as our new password/pass phrase.
Idea two : replace Only the FIRST S with a ~ gives us: ~PSIB as our new password/pass phrase.
Idea three: replace Only the LAST S with a ~ :gives us: SP~IB as our new password/pass phrase.

Closing Thoughts:

Secure Passwords can be like marriages. Some might last a lifetime, some may last only two weeks. Guard your passwords. I have a personal philosophy. I will never use the SAME password for two critical services, for example for Email, I use one password for one account, and a totally different one for a different service.(7)

1) Social Engineering:
are the easiest way to obtain passwords ever designed. Spouse/Child’s names are also very easy to obtain. Your Social Security number MUST become a resource that you NEVER give out unless you absolutely have to.,I.E., to your employer for tax information. But NOT, as an example, to your LIBRARY as your ID number!

2)Tools called, naturally “Password Crackers” check your password’s strength and compare them to a common dictionary.

3)anything above your number key. Common keys are !@#$%^, but sometimes these are NOT acceptable in some applications due to programming limitations!

4) Passphrase (See: My take is easy. Take a phrase (the quick brown fox jumped over the lazy dog) and take the first letter of each word (tqbfjotld). THEN process it further to include a number/letter substitution.

5)In order to keep your sanity, pick ONE letter-number substitution and use it CONSISTENTLY. Don’t go from number to number because it will confuse you(and make it very hard to remember the correct substitution when you need it!)
6)The ~ key is called (pronounced) the tilde key, and is usually next to the numeric one. The Tilde key usually shares its key with the “back-quote”, but that’s another very very long story. Backquote is without the shift key, shift backquote give you the tilde key!
7) For my AOL account I might use 8 (or an E) as the substitution code for my passwords. For my yahoo mail I might use a zero as my substitution code.

No comments: