RE: Password creating Theories

From: Adrian Floarea (adrian.floarea_at_uti.ro)
Date: 11/15/05

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Password creating Theories" 
    To: "'Jennifer Fountain'" <jfountain@rbinc.com>
Date: Tue, 15 Nov 2005 22:59:38 +0200

     
    Selecting Good Passwords
    Rationale

    The object when choosing a password is to make it as difficult as possible
    for a cracker to make educated guesses about what you've chosen. This leaves
    him no alternative but a brute-force search, trying every possible
    combination of letters, numbers, and punctuation. A search of this sort,
    even conducted on a machine that could try one million passwords per second
    (most machines can try less than one hundred per second), would require, on
    the average, over one hundred years to complete.

    What Not to Use

        * Don't use your login name in any form (as-is, reversed, capitalized,
    doubled, etc.).

        * Don't use your first or last name in any form.

        * Don't use use your spouse's or child's name.

        * Don't use other information easily obtained about you. This includes
    license plate numbers, telephone numbers, social security numbers, the brand
    of your automobile, the name of the street you live on, etc.

        * Don't use a password of all digits, or all the same letter. This
    significantly decreases the search time for a cracker.

        * Don't use a word contained in (English or foreign language)
    dictionaries, spelling lists, or other lists of words.

        * Don't use a password shorter than six characters.

    What to Use

        * Do use a password with mixed-case alphabetic characters.

        * Do use a password with nonalphabetic characters, e.g., digits or
    punctuation.

        * Do use a password that is easy to remember, so you don't have to write
    it down.

        * Do use a password that you can type quickly, without having to look at
    the keyboard. This makes it harder for someone to steal your password by
    watching over your shoulder.

    Method to Choose Secure and Easy to Remember Passwords

        * Choose a line or two from a song or poem, and use the first letter of
    each word. For example, ``In Xanadu did Kubla Kahn a stately pleasure dome
    decree'' becomes ``IXdKKaspdd.''

        * Alternate between one consonant and one or two vowels, up to eight
    characters. This provides nonsense words that are usually pronounceable, and
    thus easily remembered. Examples include ``routboo,'' ``quadpop,'' and so
    on.

        * Choose two short words and concatenate them together with a
    punctuation character between them. For example: ``dog;rain,'' ``book+mug,''
    ``kid?goat.''

    Source : http://www.alw.nih.gov/Security/Docs/passwd.html

    On 11/11/05, Jennifer Fountain <jfountain@rbinc.com> wrote:
    > I am currently coming up with a new policy to create root/admin
    > passwords for windows and linux boxes and would like to know your
    > thoughts on the methods you use to create them. Thanks for any input!

    Regards,

    Adrian Floarea, CISA
    Information Security Department
    IT&C Division, UTI Systems SA
    Bucharest, Romania
    Email: adrian.floarea@uti.ro

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Password creating Theories"