Choosing secure passwords - Feedback solicited

From: Richard Anderson (Richard.Anderson@seaslug.org)
Date: 03/30/02 

From: Richard.Anderson@seaslug.org (Richard Anderson)
Date: 30 Mar 2002 13:43:59 -0800

I recently added a page to the company website on choosing good
passwords, so I thought I'd pass it along - you may know someone that
could benefit from this info. The document below is also at
http://www.raycosoft.com/rayco/support/good_password.html

Critical comments on the technical issues are welcome.

How to Choose Good Passwords / PINs

Choosing secure passwords is the most important thing you can do to
secure your accounts and avoid the headaches of a security breach. I've
worked as a software engineer and occasional Unix systems engineer
since 1971, and I still feel pain when I hear about security breaches
caused by someone using "password" as a password. Consumer computer
fraud is booming (an estimated $5.2 million in 2001, up 58% from 2000)
and corporate losses from computer security breaches were estimated at
$13.2 billion in 2001 (an average annual growth rate of 49% since
1996).

O.K., so it's a jungle out there. What can you do to protect yourself?
Read on.

Choosing good passwords

There are two extreme positions on password security: (1) "I'll use the
same simple word for all my passwords" and (2) "You must use passwords
consisting of random sequences of mixed-case letters, numbers and
special characters and use a different password for each account". A
rational approach lies somewhere between these extremes. This section
and the section titled "Managing multiple accounts" describe a system
that is a good compromise between ease of use and security.

1. Choose an obscure phrase of five to ten words that you can easily
remember. This might be a line from a song, movie, book, joke, whatever
you can remember. Lyrics from songs by the Beatles and the names of
your five children are not as obscure as lyrics from songs by They
Might Be Giants, your big line from the high school play or Jimmy
Cagney's last line from the 1949 movie White Heat.

2. Create a nonsense word by extracting the first character from each
word in the phrase.

3. Read the nonsense word forwards and backwards to verify it is not a
sequence of one or more words. If it is, go back to step one. Foreign
words and proper nouns (e.g., names, places) count as words.

4. If you want to make your password easier to remember at the cost of
some security, skip ahead to step 7. (But I encourage you to do steps 5
and 6.)

5. Add a digit to the phrase, but not at the beginning. The result can
be easier to remember if you replace one of the letters with a digit
that sounds like the letter's phrase word. Examples: "won / one" => 1,
"none" => n1, "to / too / true / two" => 2, "tree / tea / three" => 3,
"for / floor / four" => 4, "before" => b4, "fever" => 5r, "sick / sex /
sticks / six" => 6, "heaven / seven" => 7, "ate / eight" => 8, "late"
=> l8, "benign" => b9, "oh / owe" => 0, "no" => n0. (You can use a
special character instead of a digit. However, some poorly designed
systems reject passwords that contain special characters, so this makes
your password less portable.)

6. Make one of the letters upper case, the rest lower case. The
password will be easier to remember if you upper-case the first or last
letter or the letter right after a comma in the phrase.

7. Think of a keyword that will help you remember the password, but
doesn't give it away. If you want to record the account information on
paper or in a file, use this keyword instead of the password. Never
write your password down or store it in an unencrypted file.

Example: Take this lyric from one of Nancy Griffith's songs: "Love's on
sale tonight in this five and dime". Take the first letter from each
word to make "lostitfad". Oops! This is the concatenation of the words
"lost", "it" and "fad", so it is no good. (I wonder what this song
sounds like played backwards?) Let's try again with another one of
Nancy's lyrics: "I need more than a whisper". The extracted word
"inmtaw" can't be decomposed into complete words, so it is O.K. Insert
the number four to make "inm4taw". (More rhymes with four, which
should help us remember the digit.) Upper case one letter to make
"inm4taW". The keyword we can use to remember this password is "Nancy".

Please don't use this example as your password. Now that it has been
published, crackers will add it to their password-guessing
dictionaries. In fact, don't use lyrics from any songs by Nancy
Griffith, the Beatles or They Might Be Giants and don't use Jimmy
Cagney lines either.

Choosing good PINs

The method described above can be adapted to choosing 4-digit PINs
(personal identification numbers). Choose a four-word phrase you can
remember, extract the first letter of each word and convert it to
numbers using the letter-number association on telephone keypads. (In
the United States, this is ABC => 2, DEF => 3, GHI => 4, JKL => 5, MNO
=> 6, PRS => 7, TUV => 8, WXY => 9. If one of your letters is Q or Z,
pick a different phrase.) Think of a keyword associated with the phrase
that will help you remember the PIN. If you need to record the PIN on
paper or in a file, record this keyword instead of the PIN.

Managing multiple accounts

It is not practical to have a different password for every account, nor
is it desirable from a security standpoint. The more passwords you
have, the more likely it is that you will have to write them down,
which is insecure. On the other hand, it is not a good idea to use the
same password for all accounts. If you do and your password is cracked
on one system, all your accounts are exposed. A chain is only as strong
as its weakest link.

A good solution is to separate your accounts into two to four groups
based on the consequences of someone misusing the account. Like fire
walls and watertight hatches on ships, this method limits the damage
for each incident. For example:

1. Level 1 accounts (highest consequences). These are accounts that, if
compromised, could cause you to lose a lot of money, lose your job or
suffer major inconveniences. This might include your company accounts,
online stock trading accounts and online bank accounts (e.g., PayPal).
If you work in a sensitive position, you should probably use a separate
level for your company accounts.

2. Level 2 accounts (medium consequences). These are accounts that, if
compromised, could cause you to lose small amounts of money or suffer
minor inconveniences. This might include online auction accounts (e.g.,
Ebay), accounts that contain your credit card number (e.g., Amazon),
and your mail account (e.g., Hotmail).

3. Level 3 accounts (lowest consequences). These are accounts that, if
compromised, would have little or no consequences for you. This might
include accounts for web sites such as job search sites (e.g.,
HotJobs), web sites for periodicals (e.g., New York Times, Forbes), and
web sites for gaming (e.g., bridge, fantasy football).

Now construct a password for each of these levels using the method
described in the "Choosing good passwords" section above. Change all
accounts in each level to use the same password. The same grouping
method can be applied to your PINs: use one PIN for your bank accounts
and another PIN for your telephone calling card, frequent flyer
accounts and library cards.

It may seem risky to use the same password for your company and
personal accounts and if you work in a sensitive position, you probably
shouldn't do it. However, computers encrypt your password so that even
the system administrators can't get it, although they can get access to
your account.

The second management issue with multiple accounts is remembering the
userids (login names) for all your accounts and which password is
associated with each account. You may start with a few computer
accounts, but if you use web sites the number quickly grows into the
dozens. (I have about seventy.) Ideally you would have the same userid
for all accounts, but sometimes you are not allowed to choose the
userid. Unfortunately, this situation can only be managed by recording
some information about the accounts in a file (but not passwords!).

On your home computer system (not work), create a file in a
subdirectory that contains a lot of other files. Give it an innocuous
name like "data", "junk" or one of the existing files with _save
appended. (Don't use a name of tmp or a suffix of .tmp - the file might
be inadvertently deleted by disk cleanup utilities.) Disable the file's
read and write permissions for other users. Edit the file and, for all
accounts (except perhaps level one accounts), record (1) the system or
web site associated with it, (2) the userid (login name) associated
with it and (3) the keyword (not password) for the account that you
chose in step six above.

The number of level one accounts is probably small, so it is best to
not put them in this file. Do not put words like "account", "login",
"userid" or "password" anywhere in the file - crackers scan for files
with words like these. If you back up the file to a floppy, give the
floppy an innocuous label like "Misc files", not "Account info". Again,
do not put passwords in this file, any other unencrypted file or on
paper.

Congratulations! Your passwords are now more secure than 99.9% of all
the passwords in the world. However, crackers have some ingenious
tricks for getting your passwords. Read on.

Lock your lips

Security experts and crackers can easily penetrate a company's or
individual's security using simple tools such as a phone, the mail or
just walking in the door. This works because (1) most people are
inherently trusting, (2) most people don't see computer security as
being their concern, and (3) it only takes one mistake to create a
major security breach. If you think computer security is primarily the
concern of IT departments and Internet Services Providers, consider
that if someone uses your account to launch a security attack it may be
difficult to prove your innocence.

Never give out a password or PIN for any account to anyone, no matter
who he is or claims to be. No customer service representative, systems
administrator or corporate security officer should ever ask you for
your password or PIN. Such a request almost certainly violates the
company's security policy and, if someone is authorized to access your
account, they do not need your password to get access. If someone
requests your password, report the incident to the company security
officer immediately. Most security violations come from inside a
company or family.

Do not respond to offers of free technical support for your new
computer: this is probably a trick to establish a relationship and get
unauthorized access to your system. Do not send passwords via e-mail:
e-mail travels unencrypted across networks and lingers on disks, so
there are numerous opportunities for crackers to get access to e-mail.
Recording a password on voice-mail is not as bad, but should be
avoided. When you are entering your password or PIN in the presence of
someone else, block their vision of the keyboard with your body. If
necessary, ask them to turn their back to the ATM or computer. (This
will impress them with your computer smarts as well as protect you from
"shoulder surfing".)

Lock your screen

It only takes a minute for someone to install a mole on your system or
use your system to send an unfortunate e-mail to the vice-president.
Fortunately you can use the procedures below to automatically lock your
screen when there is no keyboard or mouse activity for some period.
Also, you can and should activate the screen lock when you leave at the
end of the day or when you leave a system with sensitive information on
the screen.

Windows NT / 2000 / XP: To configure the automatic screen lock, select
Start / Control Panel / Display / Screen Saver. Select a screen saver
and click the checkbox labeled "Password protect". Select a wait period
between 10 and 45 minutes and select "OK". To activate the screen lock
on demand, press the Windows key and L simultaneously (Windows XP) or
press Control-Alt-Delete and select "Lock Workstation" (Windows NT /
2000).

Windows 95 / 98: To configure the automatic screen lock, select Start /
Control Panel / Display / Screen Saver. Select a screen saver and click
the checkbox labeled "Password protected". Select the "Change" button
and enter a screensaver password. (Make it the same as your login
password, but remember that changing one of these passwords will not
affect the other.) Select a wait period between 10 and 45 minutes and
select "OK".

To activate the screen lock on demand, get a large axe and smash your
computer. Just kidding, here's a procedure to put a screen lock icon on
your desktop: Select Start / Find / Files or Folders to activate the
Windows file search utility. Search the C: drive for files containing
".scr" (make sure "include subfolders" is checked). When you see the
file that matches the name of your screensaver, right click on it and
select "Create Shortcut". When it asks you if you want to place the
shortcut on the desktop, select "Yes". You will see a new shortcut on
your desktop. (You may have to minimize some windows to see it.) Double
clicking this icon will activate the screen lock.

To configure a key sequence that will activate the screen lock, right
click on the new screensaver icon and select "Properties". Select the
"Shortcut" tab at the top of the box and click in the "Shortcut key"
box where it says "none". Type a letter and the box will display "Cntl
+ Alt + (your letter)". Select "OK". To activate the screen lock, press
the Cntl, Alt and letter keys simultaneously.

Linux / Unix: The procedures for configure the automatic screen lock
vary depending on what window manager you have and what version of
Linux or Unix you have. If you are running KDE on Caldera Linux, select
Settings / Desktop / Screen Saver, enter a wait period between 10 and
45 minutes in the "Wait for" field, select the "Require password"
checkbox and select "OK". To activate the screen lock on demand, select
the small padlock icon on the toolbar at the bottom of your screen.
These procedures will be different for other window managers and
Linux/Unix versions.

If you are not using a GUI (windows interface), you may be able to
activate a screen lock on demand by typing "lock" on the Linux/Unix
command line. I do not know of an automatic screen lock facility for
non-GUI Linux/Unix systems.

You're still not safe

The methods described above will make your accounts more secure than
over 99.99% of all the accounts in the world, and most crackers will
pass you by to attack less secure accounts. However, if someone really
wants to break in to your account, they can always do it with enough
work, money and patience. Here are some additional suggestions that you
may or may not want to use:

a. If you use Windows, do not open mail attachments from people you
don't know and do not open suspicious attachments from anyone. If you
do, you could find yourself with a trashed-out computer or a computer
that is open to unwanted visitors. Common tricks to get users to open
attachments are subject lines like "I love you", "Here's a joke",
"Check this out" or RE: followed by the subject line of a message you
recently sent.

b. At work, keep all important files on network shares (also called
"shared folders", "Samba shares", "NFS mounts"). Most IT departments
make regular backups of network shares, but do not back up desktop
systems. (Call your help desk to verify this.) You can encrypt files on
network shares so that only you and possibly the systems administrator
can read them. Another good thing to do is to regularly back up
critical directories to a directory on another disk. Our company offers
a program named diskback that does this; diskback can be downloaded for
free.

c. Periodically back up your home system to removable media. The best
way (and sometimes the only way) to recover from a break-in is to
reinstall the entire system and fix the security holes the attacker
exploited. You may also have to reinstall to recover from software
errors or your own mistakes - it happens to the best of us. CD-RW
burners are a convenient way to backup critical data.

d. Do not install any software on your company system that is not
explicitly authorized by the IT department. Do not install any software
on your home system that is from a company you are not familiar with.

e. If a security expert, cracker or clever teenager gets physical
access to your computer, he can penetrate its security. The best
defense against this is to lock your computer in a small room or
closet. Or you could remove the floppy and CD-ROM drives from your
computer, but this may only slow them down a bit.

f. Periodically check the back of your computer for a dongle (small
cylinder) inserted between the keyboard plug and the computer. This is
probably a keylogger that records your keystrokes for subsequent
playback. There are probably other kinds of keyloggers that are
virtually undetectable.

g. Install anti-spyware on your home system to detect software that
records system activity and sends it to a snooper. This is weak
protection, but is better than nothing.

O.K., now you know enough to protect yourself without becoming a
security fanatic. (Although if you read this far, you are definitely a
candidate. :-] )

Appendix: Principles of password security

a. Insecure passwords are one of the top five computer security
threats. Password insecurity can be created by creating accounts with
no passwords, using weak passwords, writing passwords down, storing
unencrypted passwords in files, using the same password on secure and
insecure systems, sending unencrypted passwords via e-mail and other
protocols, and giving out passwords over the phone.

b. Passwords that are difficult to commit to memory are insecure.
Users will write them down on paper or save them in a file. Crackers,
coworkers and family members know that people do this and know where to
look.

c. Passwords issued by the administrator or automated system that
created the account are insecure. These passwords are sometimes the
same for all new accounts.

d. Passwords that are repeated letters like "aaaaa" or patterns like
"aBcDeFg" or "a1b2c3d4" are insecure.

e. Passwords that are shorter than about 4 or 5 characters are
insecure. (Many systems reject passwords longer than about 10 to 15
characters or ignore the extra characters, so 5 to 10 characters is a
good length.)

f. Passwords based on words that are in English or foreign language
dictionaries are insecure. Crackers have programs that use online
dictionaries to try these words in sequence until one of them works.
Proper nouns like George, London, Everest, etc. are subject to the same
kind of attack. Using backwards words or combining two or more words is
still insecure.

g. Passwords that use only lower case letters are less secure than
passwords that use a mix of upper and lower case letters, numbers and
special characters (e.g., *%!?;+#-). However, some poorly designed web
sites reject passwords with special characters, so your password will
be more portable if you avoid special characters. Also, many systems
require the first character to be a letter.

h. Passwords that are based on personal information are insecure.
Examples include your name, birthday, spouse's / pet's / mother's
maiden name, Social Security number, phone number, address, etc. It is
shockingly easy for complete strangers to get this kind of information.

i. Passwords that are based on information related to the account
context are insecure. If you are a purchasing agent with an userid of
buyuser on a computer named fsys1 at Megacorp, Inc. in Memphis, the
following passwords are insecure: buyuser, fsys1, buyer, purchase,
megacorp, memphis, elvis, graceland, etc.

j. Using the same password for multiple accounts can be insecure if the
different systems have different levels of security. For example, using
your bank PIN for your Ebay password is insecure: Ebay is a fine
company, but prominent web sites like Ebay are frequent targets for
crackers and companies like Ebay have weaker security than banks.
Ideally, you would use a different password for every account, but this
is usually not practical.