Password security is a balance (like most things in life). The balance is
between having a strong password that is hard to break and having a password
that can remembered without writing it down.
It is astounding how many people write their passwords down and have them
easily accessible when they have serious things to hide. This is fairly
easily avoided.
For most applications (like email with friends) a simple password that no one
knows will do. But this assumes that no one is really interested in what you
are trying to protect and what you are protecting will, if exposed, have a
small impact. After all, if "email is like a postcard" guideline, who
really cares if you are having fun at the beach.
All that changes, however, when there is compromising information either in
storage or in messages, posts, cache files, etc. Then the risk of exposure
is high and often the effort to expose will be done by people trained in
detecting passwords either physically or virtually. In other words, they
know where and how to look to gain access to your files.
In that case I think it is good to have a method of generating strong
passwords that you don't have written down anywhere and that only you know
about. Moreover the passwords have to be strong. Strong here is defined to
mean difficult and time-consuming to detect.
A brute force attack will eventually reveal any password. The statistical
reality is that the detection could take a long time or a short time. There
is no way to know since it's based on luck. I lot of times people are fooled
by claims that it takes hours and hours to break the password. That's not
really true. It takes hours and hours to exhaust possibilities. In reality
your password could be revealed on the 10th try just by luck alone.
I did some research and came up with the following which makes sense to me.
Of course comments are welcome and if there are oversights and other
considerations so that this knowledge can be upgraded that would be
particularly useful.
The following is from www.securitystats.com they also have a meter that
'tests' password strength. DO NOT put any password you actually use into
that meter. I have no idea who these people are and whether or not they are
legit. I thought their advice was sound although have edited some it.
Some passwords do and don'ts:
Many intruders enter systems simply by guessing passwords and even the best
passwords can eventually be defeated mathematically, given enough time. The
use of strong passwords acts as a firm deterrent against password guessing
doubled as a password).
first letter, but add uppercase letters throughout the password.
names, license plate numbers, telephone numbers, identification numbers, the
brand of your automobile, the name of the street you live on, and so on. Such
passwords are very easily guessed by someone who knows the user.
keyboard. This makes it harder for someone to steal your password by looking
at your keyboard (also known as "shoulder surfing").
integrity (such as root on a Unix host or Administrator on Windows NT), the
more frequently the password should be changed. This change stops someone who
has already compromised an account from continued access.
|
|