It’s common sense for most people on the hacking side of computer security as we know how easy it is to break a password when it’s only a few characters long or it uses a dictionary word (even if it is postfixed with a couple of digits, a hybrid dictionary attack breaks it pretty fast).
Even more so if you are utilising some decent Rainbow Tables and the RainbowCrack method (time/memory trade-off).
The basics of creating a secure password:
- Include punctuation marks (,.;), special characters (!#$%^) and numbers.
- Mix capital (uppercase), lowercase and space characters.
- Create a unique acronym.
- Short passwords should be 8 chars at least.
Some potential weaknesses to avoid:
- Don’t use a password that is listed as an example or public.
- Don’t use the same password you have been using for years.
- Don’t use a password someone else has seen you type.
- Don’t use a password that contains personal information (names, birthdays or dates that are easily related to you)
- Don’t use words or acronyms that can be found in a dictionary.
- Don’t use keyboard patterns (qwerty) or sequential numbers (12345).
Once you have a good password it’s equally important to keep your password secure:
- Never tell anyone your password or use it where someone can observe it.
- Never send your password by email or say it where others may hear.
- Occasionally verify your current password and change it to a new one.
- Avoid writing your password down. (Keep it with you in a purse or wallet if you have to write down the password until you remember it.)
And never label that scrap of paper in any way, write it down on an the back of an old businesscard or something that doesn’t indicate it’s a password.
Don’t give anyone who finds (or gains access to) your purse/wallet any clue of what the password means or what it is related to.
128 bit entropy in a password requires a long randomized passphrase, which wouldn’t be very usable, there has to be a trade somewhere between security and usability.
You can also use online password generators such as http://makemeapassword.com/, the problem with these however, is that they do create strong passwords but they aren’t easy to remember, which kind of defeats the purpose.
Another thing you can do is use something like a password safe to keep all the hard to remember passwords in one place, the one I would recommend is from Bruce Schneier and is actually called “Password Safe”.
Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP).
You can find it here:
Any other inputs?
- WAF-FLE – Graphical ModSecurity Console Dashboard
- LOKI – Indicators Of Compromise Scanner
- Integrit – File Verification System
- Using Cloud Computing To Crack Passwords – Amazon’s EC2
- lm2ntcrack – Microsoft Windows NT Hash Cracker (MD4 -LM)
- yahoo password grabber
Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,823 views
- Password Hasher Firefox Extension - 117,571 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,653 views