SECURITY POLICY - PASSWORDS
the power of computers increases it is becoming easier and easier to crack
Using an up to date password cracker which checks passwords
against a dictionary it is possible to crack Unix, Linux and Windows passwords
in a matter of hours.
You will find below advice which can be incorporated in to a suitable security policy
on how to choose a more secure password. If you follow this security policy it should make
it harder to crack your password. It should be necessary to carry out a brute force crack of your
password which takes significantly longer than checking passwords against a dictionary or list of common
A brute force password crack can take several days
as opposed to a matter of hours for simpler cracking techniques.
There is evidence to suggest that using a username
and password as a means of authenticating users may not be secure for
too much longer. Organisations should consider building the use of smartcards
with digital certificates as a means of authentication in future in to
their security policies.
Choosing a Secure Password
In order to make it harder for people to guess
your passwords please keep in mind the following advice:-
- Don't use dictionary words
- All real words are easy to guess. Avoid using any words, words
in foreign languages, swear words, slang, names, nicknames, etc.
- The names of family, friends and partners, anniversary
dates, car registrations and telephone numbers are the first thing potential
crackers will try when guessing your passwords.
- Instead try to pick acronyms,
mnemonics, random letters, etc, or insert non-alphabetic
characters in the middle of the word, replace
letters with numbers (o to zero, I to 1, E to 3), etc.
- Use a mIxTuRe of UPPER and lower case on case sensitive
systems - Windows, Unix and Linux.
- You must include a number
(0-9) somewhere in the password. Try to fit this in somewhere inside
whatever letters you choose, instead of at the end or beginning of the
- If possible include a symbol (£$%&^*+=) somewhere in the
- When changing passwords, change
more than just the number: perhaps move its position within the
password, add or subtract letters, change capitalisation, etc.
- However, choose something
you can remember. This is very important; it is no good having a
password like "h498cj3t34" if you have it written on a Post-It
Note stuck to your monitor! If you must have a reminder or hint, use
something cryptic that only you can understand.
- Never tell anyone else your
password or allow them to log in as you. Avoid telling anyone your
password on the telephone, hackers often ring up pretending to be from
the Information Technology Department and ask for your password. If
it is necessary to provide your password to someone else to allow a
fault to be fixed, ensure that they are genuine members of Information
Technology Department first.
- Try to avoid letting other people watch you key
your password in. Choose something that is not easy to guess from watching,
A security policy containg this advice can be download below.