secure computing series computer password safety

Secure Computing Series

Computer Password Safety

Course Author: Lynne Presley

Course Data: George Floyd, Information TechnologyLynne Presley, Training & Staff Development(Other data sources cited in text)

Course Issued: May 30, 2007

Course Credit: 30 minutes

Oracle course code: COMPI06048

Course Information

After completing this course, students will:

understand the function of passwords know what password-cracking software is understand the difference between weak and strong passwords know how to use a phrase to remember a password identify steps to protect passwords

Course Objectives

Just what is a password? It's a secret authentication that controls access to a resource. Passwords are not new technology – they have been used throughout history.

IntroductionHail Caesar! You may not enter the coliseum without

the correct password . . .

Historical Password Use

Did you know that the U.S. Marine Corps used a special code for some passwords in WWII? They recruited native Navajo speakers, who enlisted and were trained to use unrelated and truncated Navajo verbs and nouns to communicate and authenticate information among Marine units. The coded messages and passwords baffled the enemy and helped to win the war. These courageous and patriotic Marines were called "Code Talkers."

PFC Carl Gorman, Navajo Code Talker from Arizona, in action on Saipan during WWII.

Why does our agency care about passwords? It's simple – they protect the integrity of our computers and network. Any network is only as strong as the weakest link – and passwords are our agency's first defense against unauthorized access.

Network Protection

The integrity of our network depends on strong passwords. If someone gains unauthorized access, we risk losing our entire network to contamination of data, vandalism, theft, and other negative acts.

Intrusion can also affect users on a personal level - see the chart on the next slide for examples of what can happen to you if your password is stolen.

Dangers of Intrusion

Intruder tries to log onto computer

No passwordset

Guesses password

Uses passwordcracking software

Finds writtenpassword

Tricks user intodivulging password

Passworddiscovered

Snoops Blackmails Steals data, identity, and ideas Vandalizes & destroys

Anatomy of an Intrusion

Our agency is working to strengthen passwords throughout the network. Users are expected to create strong, secure passwords. As network systems and servers are upgraded, strong password creation will be enforced and access to the network may be denied if a password is weak. However, if you'll follow the suggestions in this course, you'll be ready to create strong passwords.

Access to Network

It helps to "think like a thief" to foil intrusion attempts. Thieves use software programs that attempt to "crack" passwords. These programs usually include multi-language alphabets and dictionaries.

Step I: Create a Strong Password

The programs methodically try all words in the dictionaries and combinations of words, as well as commonly-used abbreviations and acronyms. The programs also will check dates (days, years, and months). You'll have to take precautions to make your password strong enough to withstand "cracking."

Additionally, thieves may try to use personal knowledge of you to guess your password. Do not choose easy and obvious passwords, such as your name, address, nickname, car model, license plate number, the name of your pet, or any other words, numbers or dates easily identifiable with you.


TIP: Reversing common words in a password will not make the password stronger. The password "mary" is weak and easily guessed. Reversing the password to "yram" (mary spelled backwards) does not make the password stronger – cracking software will try reversed spelling of all common words.

Use a minimum of 8 random characters


Keeping all this in mind, when it's time to create a password, remember to include the following:

Example J'OIz#1@corThese characters are random, and can not be looked up in any dictionary.

Step I: Create a Strong Password Why is it preferable to create passwords with at least 8 random characters?

The more characters there are = the longer it takes to crack

Examine the chart on the next slide to see how fast an average personal computer can crack passwords that are created using mixed upper and lower case letters, numbers and symbols. (Chart data provided by lockdown.com.uk). As you can see, if your password contains at least 8 characters including letters, numbers, mixed cases, and symbols, the average thief will most likely go away and try to steal another, weaker password!

Length of password

Possible combinations

Time to crack

2 9,216 Instant

3 884,736 88 ½ seconds

4 85 million 2 ¼ hours

5 8 billion 9 ½ days

6 782 billion 2 ½ years

7 75 trillion 238 years

8 7.2 quadrillion 22,875 years

The chart below assumes that the password was created using mixed upper and lower case alphabet, numbers and symbols.

Use at least one case change


Example

The letters J, O and I are in uppercase, as opposed to the other lowercase letters.

J'OIz#1@cor

Include at least one number


Example

The number 1 is used, in combination with the other letters, punctuation and symbols.

J'OIz#1@cor

Include punctuation and special characters


Example

The apostrophe punctuation mark is used, as well as two different characters (# and @).

J'OIz#1@cor

Do not choose a password that's the same or similar to your user name


Example

Password:

User Name: fred.brown

If the thief does not know your user name, certain systems require that the user name be cracked, too. Making sure your password is different from your user name makes the theft more difficult. The example shown above meets this criteria, since it does not contain the user's name.

J'OIz#1@cor


Example

TIP: You can create a strong password that's easy to remember but hard to crack by using the first letters of words in a phrase, song, or book that's familiar to you, mixed with symbols. For instance, "J'me Overstreet is number one at corrections" produced the password we've been using as an example below. (There is a detailed breakdown of how the password was produced on the next slide.)

J'OIz#1@cor


J'O (stands for J'me Overstreet)

Iz (capital I and Z stands for is)

#1 (stands for number one)

@cor (stands for at corrections)

Phrase:"J'me Overstreet is number one at corrections"

Password breakdown:

J'OIz#1@cor

Step I: Test Your Knowledge

Is this password strong or weak?

aaaBBB111!!!Example

The password is weak. It contains only two letters in alphabetical sequence, and only one (repeated) number and punctuation mark. It wouldn't take long to crack this password, because it's not random. A truly random password means each letter, number, and symbol has an equal probability of appearing. Creating truly random sequences is difficult, but is something we should strive for. Think of it as exercise for your brain!

Step I: Test Your Knowledge

Can you guess the number one mistake many people make when creating a password?

Answer: They choose the word "password" for a password. This mistake is so prevalent that it's the first word thieves will try when trying to crack a password. Other commonly used and cracked passwords are "admin", "123", "temp", and "letmein".

Step I: Practice Creating Passwords

The PC Tools Password Generator allows you to create random passwords that are strong and difficult to crack. If your computer has Internet access, click on the link below to try this free tool. (If you receive a pop-up "Security Alert" window, click "OK" to continue.)

https://www.pctools.com/guides/password/

Step II: Protect Your Password

Creating a strong password is only the first step. Now you must protect it.

Don't put it on a yellow sticky note on your monitor or anywhere around your computer, keyboard or desk. Don't write it on your desk blotter or calendar, either. Memorize it!


Don't tell anyone else your password. When you do this, you are giving your identity and network authorization away.

From the "Believe it or Not" department:

During a poll at Waterloo Station in London conducted during the Info Security 2003 Europe conference, 90% of polled office workers divulged their passwords to the poll-taker in exchange for a cheap pen.


Be wary of people standing around your computer. Do not allow them to shoulder surf (to look over your shoulder and watch while you type in your password).


Change your password every 90 days.

Without fail.

Do it!


Never e-mail your password to anyone, and never store your password or list of passwords in a file on your computer. To do so increases the risk of having them intercepted and stolen.

Conclusion

Remember that cyber thieves don't follow the rules. They will go to great lengths to break into our computers, because they only have to find one opening to exploit our entire network. Therefore, everyone in our agency who uses a computer has an obligation to create strong, secure passwords.

secure computing series computer password safety

Documents

divulging password password

strong passwords

network slide

guesses password

correct password

strong password creation

passwords course objectives

secure passwords