SECURITY POLICY - PASSWORDS
As the power of computers increases it is becoming easier and easier to crack users passwords.
Using an up to date password cracker which checks passwords against a dictionary it is possible to crack Unix, Linux and Windows passwords in a matter of hours.
You will find below advice which can be incorporated in to a suitable security policy on how to choose a more secure password. If you follow this security policy it should make it harder to crack your password. It should be necessary to carry out a brute force crack of your password which takes significantly longer than checking passwords against a dictionary or list of common passwords.
A brute force password crack can take several days as opposed to a matter of hours for simpler cracking techniques.
There is evidence to suggest that using a username and password as a means of authenticating users may not be secure for too much longer. Organisations should consider building the use of smartcards with digital certificates as a means of authentication in future in to their security policies.
Choosing a Secure Password
In order to make it harder for people to guess your passwords please keep in mind the following advice:-
- Don't use dictionary words - All real words are easy to guess. Avoid using any words, words in foreign languages, swear words, slang, names, nicknames, etc.
- The names of family, friends and partners, anniversary dates, car registrations and telephone numbers are the first thing potential crackers will try when guessing your passwords.
- Instead try to pick acronyms, mnemonics, random letters, etc, or insert non-alphabetic characters in the middle of the word, replace letters with numbers (o to zero, I to 1, E to 3), etc.
- Use a mIxTuRe of UPPER and lower case on case sensitive systems - Windows, Unix and Linux.
- You must include a number (0-9) somewhere in the password. Try to fit this in somewhere inside whatever letters you choose, instead of at the end or beginning of the password.
- If possible include a symbol (£$%&^*+=) somewhere in the password.
- When changing passwords, change more than just the number: perhaps move its position within the password, add or subtract letters, change capitalisation, etc.
- However, choose something you can remember. This is very important; it is no good having a password like "h498cj3t34" if you have it written on a Post-It Note stuck to your monitor! If you must have a reminder or hint, use something cryptic that only you can understand.
- Never tell anyone else your password or allow them to log in as you. Avoid telling anyone your password on the telephone, hackers often ring up pretending to be from the Information Technology Department and ask for your password. If it is necessary to provide your password to someone else to allow a fault to be fixed, ensure that they are genuine members of Information Technology Department first.
- Try to avoid letting other people watch you key your password in. Choose something that is not easy to guess from watching, like "qwerty12345".
A security policy containg this advice can be download below. This security policy is from the 1990's.