|
The CERT/CC (Computer Emergency Response Team / Coordination
Center), estimates that 80% of all network security problems are
caused by bad passwords. Given enough time every password can be
broken using automated cracking tools but the time taken to
break a password can be significantly extended by adopting a few
simple rules.
| Do's |
Don'ts |
| DO use a password with mixed-case letters. Do not just
capitalize the first letter, but add uppercase letters
throughout the password |
DO NOT use a network login ID in any form (reversed,
capitalized, or doubled as a password) |
| DO use a password that contains alphanumeric characters and
include punctuation, where supported by the operating
system |
DO NOT use your first, middle or last name or anyone else’s
in any form. Do not use your initials or any nicknames
you may have or anyone else’s |
| DO use at least six characters, eight characters for
Windows NT |
DO NOT use a word contained in English or foreign
dictionaries, spelling lists, or other word lists and
abbreviations |
| DO use a seemingly random selection of letters and numbers |
DO NOT use other information easily obtained about you.
This includes pet names, license plate numbers,
telephone numbers, identification numbers, the brand of
your automobile, the name of the street you live on, and
so on. Such passwords are very easily guessed by someone
who knows the user |
| DO use a password that can be typed quickly, without having
to look at the keyboard. This makes it harder for
someone to steal your password by looking at your
keyboard (also known as "shoulder surfing") |
DO NOT use a password of all numbers, or a password
composed of alphabet characters. Mix numbers and
letters |
| DO change passwords regularly. The more critical an account
to network integrity (such as root on a Unix host or
Administrator on Windows NT), the more frequently the
password should be changed. This change stops someone
who has already compromised an account from continued
access |
DO NOT use dates e.g., September, SEPT1999 or any
combination thereof |
| |
DO NOT use keyboard sequences, e.g., qwerty |
| |
DO NOT use a sample password, no matter how good, that
you’ve gotten from a book that discusses information and
computer security |
| |
DO NOT use any of the above things spelled backwards, or in
caps, or otherwise disguised |
| |
DO NOT write a password on sticky notes, desk blotters,
calendars, or store it online where it can be accessed
by others |
| |
DO NOT reveal a password to anyone |
A password must be easy to remember. Creating a super strong
password and then sticking it to the side of the monitor is
surprisingly common but a complete waste of time and energy.
Here are some simple ideas for creating random passwords that
are easy to remember.
- Use the first letter of each word from a line in a book,
song, or poem. For example: "Shut your eyes and sing to me"
might produce "sye&s2me”
- Use two or three words connected via random punctuation
- t!me%4^bed
- Use punctuation and numbers to replace letters in a
password - th|$isgr8
Feel free to check the security of your passwords using this
free password checker. Remember that you should never reveal
your passwords to anyone so please don't use your real passwords
in this form but instead use one that is similar.
Remember this is just a guide as only you know if
you've used words which are obviously related to you. Following
the guidelines above and using a little common sense will ensure
your passwords are secure to all but the most determined
hackers. | 