Runboard.com
You're welcome.



       Use the black navigation bar to log in or create your account.

 
Lesigner Girl Profile
Live feed
Blog
Friends
Miscellaneous info

Minerva
Head of Runboard staff

Registered: 11-2005
Posts: 9598
Karma: 132 (+147/-15)
ReplyQuote
posticon Security: Password Dos and Don'ts


I've posted information on password security at the other boards I've run in the past, and an article I ran across today reminded me that I had never posted any of that information here. That said, here it is...

First let me start by saying that a good password isn't enough. Even if you have a password like k9Wk8sXpZz99823oPbWsxY87C3zcwQ68, your accounts can still be cracked via the secret question/answer feature that a lot of email providers and other companies/software/etc provide, so you have to be careful with this as well. So before we get to the Password Dos and Don'ts, here are a few secret question/answer dos and don'ts:

---

1. Don't answer these honestly. If anyone knows your favorite pet's name or your mother's maiden name, for example, they could easily retrieve your password by entering this information.

2. Don't make it something that can be found in a Google search. For instance, if your question is, "Will it be him or me?" don't make your answer, "There's one more candle left to light." It might sound like a good sneaky thing to do, but as you can see from that link, it isn't.

3. Do use full sentences and punctuation in your answer, since it has to be typed in exactly as it was first entered in order to retrieve your password. This could even be a good time to use 1337 speak (1337 = LEET, or lEET) in your answer, substituting numbers and other characters for letters. For example, you could have the question, "What do I like to do in my free time?" and the answer, "1 lik3 to si7 and drin|< tomato juic3 while watchin8 ants fl`/. Oh wha7 fun!" Well, don't pick this specific question and answer, because anyone who has read this can figure it out, and it might even come up in a Google search at some point. But at any rate...

Notice how I made the last letter of every other word in that answer into something other than a letter. You could choose the last letter of every word, every third letter in the sentence, or any other combination that you can remember and others will not figure out easily. You could even choose one letter and change every occurrence of that letter into a number or other character, like changing every o to a 0, although I think that would be a little less secure. Note: Don't use special characters in your question, especially if they follow the same format as your answer, because it would defeat the whole purpose of using them in your answer.

Notice also that the sentence is nonsensical and can't possibly be your favorite thing to do in your free time... or can it? The point here is to make it something that nobody will be able to guess, but you can easily remember.

4. Don't use the same secret question/answer for more than one account and/or file. If someone does happen to guess it for one account, they will simply try it for your other accounts and succeed in cracking them. The same goes for passwords, which will be covered in the articles that follow this post.

---

These are just a few things off the top of my head. If I think of more, or if someone else adds some good suggestions to this thread, I will edit this post and add them.

So, now on to passwords...

---
Runboard Knowledge Base
Runboard Support Forums
Find other message boards
2/18/2007, 5:03 pm Link to this post PM Lesigner Girl Read Blog
 
Lesigner Girl Profile
Live feed
Blog
Friends
Miscellaneous info

Minerva
Head of Runboard staff

Registered: 11-2005
Posts: 9598
Karma: 132 (+147/-15)
ReplyQuote
10 Passwords You Should Never Use



10 Passwords You Should Never Use

If you chose an easy-to-remember password, such as your user name or even the word "password," we advise you to change it ASAP. Easily-guessed passwords can compromise your personal identity, privacy and financial accounts.

Researchers from the University of Maryland's A. James Clark School of Engineering in College Park, have quantified how frequently unsecured computers are the victims of hacker attacks.

Here's the shocking news: On average, they happen every 39 seconds. That's more than 2,000 times a day.

Those hackers have a string of common passwords and user names they use to penetrate unsecured PCs. If you thought you were being clever by using your user name as your password, note this: Fully 43 percent of all password-guessing attempts simply re-entered the user name.

The top 10 most common passwords:

   1. Your user name
   2. Your user name followed by 123
   3. 123456
   4. password
   5. 1234
   6. 12345
   7. passwd
   8. 123
   9. test
  10. 1

On TV and in film, hackers have been portrayed as people with grudges who target specific institutions and manually try to break into their computers. But in reality, study leader by Michel Cukier says, "Most of these attacks employ automated scripts that indiscriminately seek out thousands of computers at a time, looking for vulnerabilities. Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections. The computers in our study were attacked, on average, 2,244 times a day."

The team set up weak security on four Linux computers with Internet access, then recorded what happened as the individual machines were attacked. They discovered the vast majority of attacks came from relatively unsophisticated hackers using "dictionary scripts," a type of software that runs through lists of common usernames and passwords attempting to break into a computer.

The top 10 most common user names:

   1. root
   2. admin
   3. test
   4. guest
   5. info
   6. adm
   7. mysql
   8. user
   9. administrator
  10. oracle

What do hackers do once they gain access to your computer? This was the most common sequence of actions:

    * Check the accessed computer's software configuration.
    * Change the password.
    * Check the hardware and/or software configuration again.
    * Download a file.
    * Install the downloaded program.
    * Run the downloaded program.

What are the hackers trying to accomplish? "The scripts return a list of 'most likely prospect' computers to the hacker, who then attempts to access and compromise as many as possible," Cukier says. "Often they set up 'back doors'--undetected entrances into the computer that they control--so they can create 'botnets,' for profit or disreputable purposes." A botnet is a collection of compromised computers that are controlled by autonomous software robots answering to a hacker who manipulates the computers remotely. Botnets can act to perpetrate fraud or identity theft, disrupt other networks, and damage computer files, among other things.

--From the Editors at Netscape
Source



---
Runboard Knowledge Base
Runboard Support Forums
Find other message boards
2/18/2007, 5:04 pm Link to this post PM Lesigner Girl Read Blog
 
Lesigner Girl Profile
Live feed
Blog
Friends
Miscellaneous info

Minerva
Head of Runboard staff

Registered: 11-2005
Posts: 9598
Karma: 132 (+147/-15)
ReplyQuote
Password Dos and Don'ts


The following is just a partial article. Click on the link to read the rest:

Password Crackers

Creating strong passwords is an effective way to block most password-cracking attempts on data files. It's not possible to come up with a data-file encryption scheme that can't be broken with enough CPU time, but the longer and more complex the password (and the larger the encryption key), the longer it will take to crack the password. The brute-force attacks on Zip files and other relevant formats can be very time-consuming: We fed Passware's Word Key a Word document with the password 123word on a Pentium III/500 system with 256MB of RAM. Without us doing anything else, Word Key took 29 hours to find the password. (A password like 999999zzzzzzzz is especially effective, because the brute-force attacks seem to rely on a straight alphabetical approach. And by default, Passware's programs will only try passwords of up to seven characters in brute-force mode.) Simple passwords are no challenge for Passware: On the same test system, Word Key cracked the same document with the password larry in 3 seconds.

Password Dos and Don'ts

Although password-cracking software is a formidable and intimidating weapon in the wrong hands, there are several common-sense steps you can take to minimize your risk and perhaps even thwart crack attempts.

» When creating a password, don't use any part of your user name, full name, address, birthdate, and so on. This information is readily available to intruders.

» Don't use English or even foreign words; dictionary attacks try millions of word combinations per second.

» Make sure your password is at least six to eight characters long. Our experience with Passware products shows that the longer the password the better.

» Use different kinds of characters in your password. At the very least, your password should contain uppercase letters, lowercase letters, and numbers. If you're comfortable with non-alphanumeric symbols (such as #@!&emoticon or extended ASCII characters (which you can access by holding down Alt and typing on the number pad), use them in your password. Passware software does not look for special characters unless the cracker specifies each one to look for.

» Use a password that is easy to remember and easy to type, but don't write it on a sticky note and post it on your monitor.

» Change your password every month to six weeks.

» Don't recycle old passwords or use the same one for several different applications.



Last revised by Lesigner Girl, 2/18/2007, 5:07 pm


---
Runboard Knowledge Base
Runboard Support Forums
Find other message boards
2/18/2007, 5:05 pm Link to this post PM Lesigner Girl Read Blog
 


Add to this discussion




You are not logged in (login)
Back To Top

This board's time is GMT.

Board's time is GMT