Saturday, June 15, 2013

It Should Be Called Pass Phrase

Password is a misnomer. If you actually use a word from the dictionary as your password to any account, you are making life easy for hackers. As  a best practice, systems administrators should ensure their organization has a good password policy as its security baseline. The policy should be taught to all users and enforced.

Audits should be conducted using popular password creacking utilities such as Cain & Abel, John the Ripper, and Crack. The age of the password should be kept for a maximum of 60 days. The risk of dictionary attacks and brute force (when a hacker uses special software to guess a password) can be minimized if passwords are complex and changed frequently.

Keep in mind that your password should be based on a passphase instead of dictionary words, pets name, favorate teams, birthday months, etc. Also, remember all accounts and systems that you log in to are potentially important even thought it does not appear to have valuable information. Email accounts can be used to reset other accounts such as bank accountants. Accounts for social media sites such as facebook could be use to withdraw information from your friends and family by posing as you.

Here are some components of a good pass-"phrase":

  • Should be at least fifteen characters long
  • At least two of the characters should be uppercase (A-Z)
  • At least two of the characters should be lowercase (a-z)
  • At least two of the characters should be numbers (0-9)
  • At least tow or the characters should be special characters or punctuation marks )(*&^%$#@!?
  • No real words
  • Not the same as the login name or real first last name
  • Should be changed frequently

phrase: I love twitter and facebook

passphrase: !Lov3Twitt3r&FB

It would take password-cracking tools centuries to crack this passphrase and its easy for the user to remember.

No comments:

Post a Comment