- I have noticed in my readings lately that more and more systems are being compromised as a result of poor, or misused passwords. So I’ve decided to offer a basic Password primer.Let’s start with 10 tips for creating and using strong passwords:1-The best passwords use a combination of words, numbers, symbols, and both upper- and lower-case letters.Example time-“1wnuSTn@pE!” is a great password; but how do I remember it? Yes how do I, I'll tell you later.2-Never use your username as your password.Time for a true story-I once cracked a friend's laptop because his logon was his first name and his password was the first letter of his first name. Hacking really is just that stupid easy sometimes!3-Never use easily guessed passwords, such as “password”, “secret”, “Jehovah” or “user.”Time for a question-Do you think “ncc1701D” is a good password? Why or why not?4-Never use passwords that use information that probably isn’t as secure as you’d think, such as your birth date, your Social Security or phone number, or names of family members.Food for thought-Who uses their initials and pieces of their SSN as a password? Is this a good idea?5-Never use words that can be found in the dictionary. Password-cracking tools freely available online come with dictionary lists that will try thousands of common names and passwords. If you must use dictionary words, try adding a numerals to them, as well as punctuation at the beginning or end of the word (or both!).Example time-I love the Iliad; I once used “Diomedes” as a password; he’s a character from the Iliad. I was smart though and used “D10medes” as the password substituting the “1” and “0” for the” i” and “o”.Do you think this is a good password?Could I have done anything to make it better?6-Never use simple adjacent keyboard combinations: For example, “qwerty” and “asdzxc” and “123456″ these are horrible passwords that are so easy to crack.Question-Do you think that “@3edcvfr4%” is a good password? Why or why not?7 -Use passwords that are at least eight characters long, longer is better. Each character you add to a password makes it much harder to attack with a password cracking tool.True Story-I used a password cracking tool to crack the password “D10medes” in under 6 hours. I changed the password to “D10m3d3s&!” and the same tool was not able to crack it.Extra Credit-Can you guess what word this password really is and where I got it?8-If you have trouble remembering your passwords, try replacing certain letters in the word with look-alike numbers. For example, the password “Mississippi” is more secure when typed as “M1551551pp1.” Another useful and better way of remembering and creating strong passwords is to use the first letter of each word in a phrase from a favorite book or song.Example time-“I will never use Star Trek names as passwords; Ever!” could be written as“1wnuSTn@pE!”.Is this a good password?Is it relatively easy to remember?Oh and “ncc1701D” is the hull number of the Star Ship Enterprise, a bad password.9-It’s just a bad idea to use the same password at multiple Web sites; and never use the password you’ve picked for any work place account at any online site. If you do, and one of them gets compromised then you risk having every account you own being compromised.True Story- A file storing/sharing web business, recently admitted that their corporate website was attacked successfully and compromised. The compromise occurred because an employee’s password was cracked on a social network site. This employee uses the same password for everything so the workers account was compromised. This allowed the attackers to take customer passwords and accounts which were then used to attack personal email and bank accounts.All because these users used duplicate accounts and passwords for multiple sites and functions.10-All of this probably just seems so overwhelming, different passwords and accounts, and they all need to be difficult to guess; what can you do?Do what we, the security experts, do!Use a personal password vault or manager. There are numerous freeware password vaults available. The great thing about using a password vault is that you really only need to remember one password. That password can be a really difficult pass phrase that is easy to remember but very hard to crack or guess.Example time-I also like the Lord of the Rings; you could have guessed that. So how about this for a password; “One Password to read them all and in the Vault to hide them”Applying what we have learned this becomes; “1P2rta&itV2ht” which is nigh impossible to crack.A FREE shopping list:KeePass Password ManageriPassMan Password ManagerMyPadLockMobileWitch Pass SafeThere you have it. Ten tips that will help you create and remember passwords extremely difficult if not impossible to crack. “10ttwhUc&rpedini2c”
Renegade_Code
Welcome 7F 00 00 01. This is my NetSec blog and rant platform. I've always wanted a place to publish my opinions; read if you want or don't. They are after all just my observations and opinions.
Tuesday, September 25, 2012
10 Great Password Tips
Friday, August 5, 2011
First Nugget
BlackHat is occurring right now; it's a convention for hackers and security folks--yes we talk to each other get over it! Anyway the big joke is apparently that there is no such thing as cyber security. That's right it doesn't exist.
I have a joke I'm fond of telling to describe cyber security; you may have already heard it.
It goes like this:
Two guys are hiking in the woods and one notices that his buddy has a pair of running shoes instead of boots.
He says to his friend; "What's with the tennis shoes; you'd be more comfortable in boots."
His friend replies; "Yeah, but what if we see a bear that decides to attack us?"
The first guy starts laughing and says; "Man, you can't outrun a bear!"
His friend says; "I know, I just have to outrun you!"
So the point is this.
If they want you they'll get you!
I have a joke I'm fond of telling to describe cyber security; you may have already heard it.
It goes like this:
Two guys are hiking in the woods and one notices that his buddy has a pair of running shoes instead of boots.
He says to his friend; "What's with the tennis shoes; you'd be more comfortable in boots."
His friend replies; "Yeah, but what if we see a bear that decides to attack us?"
The first guy starts laughing and says; "Man, you can't outrun a bear!"
His friend says; "I know, I just have to outrun you!"
So the point is this.
If they want you they'll get you!
If you're specifically the target you've got trouble.
If you are only a target of opportunity though, you need to make it as difficult as possible because you've got a chance. There are so many cyber-users we are like the gazelles on the plain in Africa. There are lots of us and it's always the weak/slow gazelles that get eaten; just like the slower hiker. LOL!
So are you a weak/slow gazelle?
This is a pretty good article that says effectively the same thing:
http://money.cnn.com/2011/08/05/technology/cybersecurity_myth/index.htm?source=cnn_bin
Stay tuned in and I'll offer you some tricks and tips to be a strong fast gazelle and therefore less appetizing to the predators.
So are you a weak/slow gazelle?
This is a pretty good article that says effectively the same thing:
http://money.cnn.com/2011/08/05/technology/cybersecurity_myth/index.htm?source=cnn_bin
Stay tuned in and I'll offer you some tricks and tips to be a strong fast gazelle and therefore less appetizing to the predators.
Me and This
I work in Network Security.
I have for over 10 years.
I have made a number of predictions that have sadly come true. Time to start airing them publicly I think.
This blog will be my observations about Network and Computer Security as well as my opinions regarding the same.
First and foremost I'm a Geek! I've always been a Geek, although in the the 70's I wasn't as vocal about it. I played soccer in high school in the 70's when almost everyone else played one of the other big 3 sports. I have always been interested in Military History and as a result I play War-games. In fact like most young boys I started by throwing rocks at plastic army-men. Most boys stop and move on to other interests; I found a book in a public library by Donald Featherstone that moved my interest to a completely new level. Yes; I did play DnD (Whitebox) in the early 70's also. I don't RPG anymore; I prefer the heft and a game of little toy soldiers.
I was playing with computers in the middle 70's. The first computer I worked with had a magnetic drum memory and the program was loaded via fan-fold paper through an optical reader. It was true DTL (diode, transistor logic), coded in hexadecimal and integrated velocity meter outputs from a stable element to update latitude and longitude. It was a real beauty.
Anyway time passes, we have established my Geek_Cred, and now we are here.
When I started specifically in Network Security the threat, not counting phreaking, was primarily teenage kids with computers and too much unsupervised time on the internet. There were true elite hackers out and about although they were rare folk. Computer attacks were "mostly" about prestige and notoriety in hacker circles. Everything has changed! The threat today comes from organized crime syndicates and nation state espionage and we're all targets. Sure the groups of elite freedom fighting hackers are still out there (nods to hactivism) but they aren't the true enemy. The true threat is trying to get our information, our money, our accounts, our infrastructure and our national economy through the undetected control of our computers and networks.
Ladies and gentlemen they are winning.
Why?
Because we aren't doing what we need to as users. Because security is a nuisance for the user and the Big Tech companies. Because we aren't publicly identifying them for who they are. Because we aren't blocking them on the backbone routers in the name of prosperity and everybody just getting along.
OK; I'm getting off the pulpit. Let's get started; or not if you aren't inclined. Hanging around might save you a few dollars though.
I have for over 10 years.
I have made a number of predictions that have sadly come true. Time to start airing them publicly I think.
This blog will be my observations about Network and Computer Security as well as my opinions regarding the same.
First and foremost I'm a Geek! I've always been a Geek, although in the the 70's I wasn't as vocal about it. I played soccer in high school in the 70's when almost everyone else played one of the other big 3 sports. I have always been interested in Military History and as a result I play War-games. In fact like most young boys I started by throwing rocks at plastic army-men. Most boys stop and move on to other interests; I found a book in a public library by Donald Featherstone that moved my interest to a completely new level. Yes; I did play DnD (Whitebox) in the early 70's also. I don't RPG anymore; I prefer the heft and a game of little toy soldiers.
I was playing with computers in the middle 70's. The first computer I worked with had a magnetic drum memory and the program was loaded via fan-fold paper through an optical reader. It was true DTL (diode, transistor logic), coded in hexadecimal and integrated velocity meter outputs from a stable element to update latitude and longitude. It was a real beauty.
Anyway time passes, we have established my Geek_Cred, and now we are here.
When I started specifically in Network Security the threat, not counting phreaking, was primarily teenage kids with computers and too much unsupervised time on the internet. There were true elite hackers out and about although they were rare folk. Computer attacks were "mostly" about prestige and notoriety in hacker circles. Everything has changed! The threat today comes from organized crime syndicates and nation state espionage and we're all targets. Sure the groups of elite freedom fighting hackers are still out there (nods to hactivism) but they aren't the true enemy. The true threat is trying to get our information, our money, our accounts, our infrastructure and our national economy through the undetected control of our computers and networks.
Ladies and gentlemen they are winning.
Why?
Because we aren't doing what we need to as users. Because security is a nuisance for the user and the Big Tech companies. Because we aren't publicly identifying them for who they are. Because we aren't blocking them on the backbone routers in the name of prosperity and everybody just getting along.
OK; I'm getting off the pulpit. Let's get started; or not if you aren't inclined. Hanging around might save you a few dollars though.
Subscribe to:
Posts (Atom)