 |
|
Choosing a Good Password What makes a password a "Good Password"?First of all, you need to be able to remember it. Being able to type it is also nice, though less important than being able to remember it. Second, it must not be easily guessable. A password that is related to your login name or your real name in an obvious way can be easily guessed and therefore is not a "Good Password". Third, it needs to be a reasonably large number of characters. Three letter passwords can be easily guessed by an obvious "brute force" method -- just try them all. (How many times have you had to "crack" that 3-dial lock on your suitcase? I do this about once a year, usually the night before my wife is leaving town.) A "Good Password" has 7 or 8 characters in it. (Note: longer passwords are even better, but the password checking routines on many Unix systems silently discard any characters after the eighth one.) Fourth, it needs to have more than just letters in it. You should include letters (upper- and lower-case), digits, and punctuation marks. Control characters are nice in theory, but some Macintosh and PC software doesn't like these, so you should probably avoid control characters if you work in an environment with Macs or PCs. Fifth, it should not contain any sequences of 4 or more letters (regardless of how you capitalize them), that can be found in a dictionary. Also, reversing the order of the letters doesn't do any good either. A standard way of cracking a password is to try all the words in a dictionary, in all possible upper-/lower-case combinations, both forward and backward. Prepending and/or appending a digit or punctuation character to a dictionary word doesn't help either; on a modern computer, it doesn't take too long to try all those possible combinations, and programs exist (and are easy to get) to do exactly that.
About "dictionaries" and password "cracking"...In addition to the standard American or English dictionaries that we're all familiar with, there are also "crackers' dictionaries." These are collections of common computer terms and phrases, names, slang and jargon, easily typed key sequences (like "querty"), and scatological phrases that one might be tempted to use for a password. These crackers' dictionaries are frequently updated and shared; programs to crack passwords are distributed with copies of these dictionaries.A frequently used method for cracking passwords is to get a copy of the password file for a system, thus getting a list of all the encrypted passwords on the system. The would-be cracker then uses his/her own computer to attempt to crack the encrypted passwords; this activity is undetectable by the system administrator since it is happening on the cracker's computer. If even a single password can be cracked, the cracker can login to the system and begin probing, as a user of the system, for security holes. There are other programs, also easily gotten, that are designed to quickly and easily probe and exploit all known security holes. (It used to require some intelligence and sophisitication to be a successful cracker; this is no longer true.)
Don't do this...Here are some examples of "Really Bad Passwords"; you should avoid passwords like these:lindahl7 - based on the username 7lindahl - based on the username l3nd1hl - based on the username, with an obvious transformation k3n - based on the username, with an obvious transformation kkeenn - based on the user's name elizabeth - daughter's name (in a dictionary, and easily guessed as well) htebazile - ditto, backwards PORSCHE911 - it's in a dictionary 12345678 - it's in a dictionary (& people can watch you type it easily) qwertyui - ...ditto... abcxyz - ...ditto... 0ooooooo - ...ditto... Computer - just because it's capitalised doesn't make it safe wombat6 - ditto for appending some random character c0rky1 - corrupted version of a dictionary word 6wombat - ditto for prepending some random character merde3 - even for french words... mr.spock - it's in a sci-fi dictionary zeolite - it's in a geological dictionary ze0lite - corrupted version of a word in a geological dictionary ze0l1te - ...ditto... Z30L1T3 - ...ditto... So, how do you choose a "Good Password"?Pick a phrase that has some meaning or significance to you, but not to anyone else. Then transform it in some manner so that the final result is consistent with the guidelines above. When transforming, try to transform entire syllables into a single character; do not use an obvious letter-into-digit transformation more than once or twice.Here are some passwords that I consider to be reasonably "Good Passwords": However, now that I have listed them here, they are "Really Bad Passwords" and must not be used.u2canB0 - "you too can be null" Iput0xU - "I put a hex on you" b1b1mbab - Korean cuisine, vowels replaced by digits ne4lE2g0 - "nefeli, to go" (easy to type, too!)
Updated 22 Sept 1999, by ken lindahl and Michael Sinatra. Send comments, corrections, questions to <lindahl@ack.berkeley.edu>
Data Services Internal |
CNS Internal |
|
|