HOW TO CHOOSE A BAD PASSWORD!
Now that you have an account on a computer you will have to choose a password for that account. Your password protects your work on the computer just as your access (PIN) code protects your money in the cash machine. There are good passwords and bad passwords. A bad password can allow someone else to get into your account and read your files, or even alter or delete your work. I'm assuming that you don't want someone else to do that, but if in fact you do, then here is how you can make it easier for them by choosing a bad password:
- Make it really easy and use your computer userid, or your name as your password. That's what all good computer crackers try first.
- If you don't like that, use your nickname, your middle name, your student ID number, your phone number, your birthday, or other information about you that anyone can get from the student directory.
- Use the name of your girlfriend/boyfriend, spouse, pet, or child. [If you have seen the film War Games you may remember that the password to the supercomputer was the name of Professor Falken's son, Joshua.]
- Use words or names from Sci-Fi or fantasy books or movies. Computer nerds love these so they are easy to guess. If you use names from literature or ancient mythology you will keep the geeks out and let in only the well-read crackers.
- If you want to make them work only a little bit harder, use a dictionary word. Now that there are on-line spelling dictionaries it is easy for someone to write a program to try all of these until they get the right one. It's slow, but it works eventually. In most cases the cracker doesn't care which password he cracks, as long as he gets one of them, so the weakest password will let him into the machine. It could be yours!
- You can make it easy for someone standing near you (a "shoulder surfer") to guess your password by choosing a sequence of keys which are really obvious when typed, such as "12345".
If you don't like the idea of someone getting into your account and reading your e-mail or deleting your files, then here are some guidelines for choosing a good password: HOW TO CHOOSE A GOOD PASSWORD!
- The best password is a mixture of letters, numbers, punctuation and special characters. The more complex and random it is the harder it will be for someone else to crack. Of course it may also be hard for you to remember, so you should try to choose a complicated password which is also relatively easy for you to remember, but hard for someone else to guess.
- Use at least 6 characters in the password. Shorter passwords are easier for computer programs to guess. Newer versions of Unix require that you use at least 6 characters in a password, and that at least one of them not be a letter. But remember that most Unix passwords are only 8 characters long - any extra characters are simply ignored. That seems to be true on AOL too.
- Just adding a number or punctuation mark to a word can make a password a bit more secure, but if it's a dictionary word then this will probably not enough. One well known cracking program easily caught the password "offbeat1". A better combination would be "off1beat".
- Use fragments of words mixed in unusual ways that would not be found in a dictionary, or take a compound word and swap the pieces in an unusual way. The password just suggested above is even better if you swap the first and last parts.
- Obscene words are generally not good passwords, even though they may not not be in on-line dictionaries, because many cracking programs check for these separately.
- Take a word and substitute a symbol or number for one or more letters. But be unusual. Many cracking programs already know enough to try a "$" in place of an "S", or a "1" in place of an "I" or "L". It's better to just insert punctuation, numbers, or special characters at random in the middle of a word.
- One way to make a good password is to take the first letters of a phrase you can remember. Use a poem you like, a song lyric, or a quotation you can remember - the more obscure the better. A phrase that only means something to you is even better. This produces a sequence of letters which you can remember, but which nobody else can easily construct, nor remember if they see it. The password will be even better if you insert or substitute punctuation and numbers, as in the previous rule.
- Another way to make a good password is to interleave two words, or a word and a number. For example, mixing "July" and "1776" gives "J1u7l7y6". (But that's a bad example, because it's a well known date - use something more obscure.)
- OLD car license numbers (or aircraft "N" numbers) make good passwords, but the license number of the car you are driving now could be easy for someone else to guess. "NCC-1701" is not a good password - too many crackers watch Star Trek.
- Words from other languages are better than English dictionary words, but can still be cracked if the cracker has an on-line dictionary in that language (many are easily available). Applying some of the tricks mentioned above to foreign words can lead to a good password, as long as you can still remember it.
- Another way to generate a password which someone else can't guess is to use input from a physical object in your possesion. For example, the serial number on the bottom of my answering machine is "93-195M", and that is a good password which cannot be guessed by a dictionary program. But be careful with this method. If someone in my department knows I pick passwords this way, then one of the first things they will do is look at the bottom of my answering machine. Of course they have to get into my office to do so, which excludes a large number of people, but not everybody.
- Along the same lines, the serial number of a dollar bill, or some subsequence derived from it, can be used as either a password or as a good reminder of a password. Keep the bill in a safe place - don't spend it. You can even share the password with someone else by tearing the bill in half. This kind of shared secret only costs $1.
- Fortune cookies, which you can get at just about any Chinese restaurant, can be used to construct a password using words or numbers taken from the fortune. You can even carry the fortune in your wallet as a reminder, as long as you don't mark on it, which would give away the secret if it fell into a stranger's hands.
Here are some guidelines to help make your passwords more secure: SOME PASSWORD TIPS
- Change your password often. Even if someone cracks the system password file, the password they obtain is not likely to last long. It can be hard to remember to do this, so use something else to remind yourself. If you change your password once a month, do it at the beginning of the month when you pay your bills, or change it every time you have a math test. Change it at least once every semester. Some computers have "password aging" which forces you to change your password often. This is good as long as it's not often enough to be annoying.
- Never give your password to anybody. The computer center staff don't need to know it, and in fact they can't find out what your password is (without running a cracking program themselves!). If you get e-mail from someone asking for your password so that they can trap a cracker, then they are probably a cracker themselves. Report it to the computer center.
- If you think someone might have seen you type in your password ("shoulder surfing"), then change it as soon as possible. On any Unix computer the command to change your password is `passwd` (though you should check for local variations).
- If you can avoid it, don't write your password down. If you do have to write it down, don't label it. If someone sees "xyzzy" in your notebook they may not know what it means, but if they see "my password is xyzzy" they will. [And by the way, "xyzzy" is a magic word from a computer game, so it's not a good password.]
- If you work on more than one computer and they don't share a common password system, then you should use different passwords on different machines. Then if someone breaks into one computer they still can't get into the other.
- Use private information known only to you when you construct your passwords, not public information which other people are able to find (no matter how unlikely you may think it would be that they would find it - if it is publicly available don't use it).
- Never send a password through e-mail! Electronic mail is not as secure as you might think. If you have to send someone a password, use regular mail or fax, or encrypt your e-mail with PGP.
Finally, if you want to read a good (and true!) story about computer crackers, foreign spies, and even a famous security bug in emacs (now long fixed), then get The Cuckoo's Egg by Clifford Stoll.
Eric Myers <myers@spy-hill.net>
Last revised: 15 September 2000
Copyright © 2011 by Spy Hill Research http://www.Spy-Hill.net/~myers/help/Passwords.html (served by Islay.spy-hill.com) Last modified: 10 July 2011