Friday, December 23, 2005

Good Password Tips and Password Management

These days a single computer user may have dozens of passwords. If you use computers at your job you may need to access secured databases, local workstations and numerous accounts online and each is supposed to have its own unique password. Though many people don't require a logon for their home PC, they will definitely have one for email or websites that they manage. Here is a guide to assist you in strengthening your passwords and password techniques.

After reading this article you will know the following:

-How to make good passwords
-Good password practices
-Techniques to manage all of your passwords

How to Make Good Passwords

Choose a password with the following criteria:

-At least 8 characters in length
-At least 1 number
-At least 1 special character
-Upper and lowercase.

Passwords with difficult combinations make it harder for tools like L0phtcrack, Brutus, John the Ripper, Cain and Able and other password crackers to decipher your password.

When creating a password, don't use personal information such as birthdays, children names, or first and last names. Avoid using words or phrases that can be easily guess or cracked with a "dictionary attack." Do not use the same password on the different systems. If you work in a classified environment, passwords should be treated at the same level of classification as the systems they protect.

Good password practices

Never share your password with ANYONE including your Administrators, Help Desk personnel or System Administrators. IT professionals at your job or Internet Service Provider (ISP) will not normally ask you for your password. If they do need it then you should give it to them in person and ensure you change it as soon as they are done with their task. A common "Social Engineering" tactic used by malicious hackers consists of calling up unsuspecting users and pretending to be from the computer support staff. Another tactic is to have trusting users email the password or type it into what looks like a legitimate site; this is known as "phishing."

Be aware of your surrounding when you are typing your password. Watch for "shoulder Surfing" or people watching what you type as you are entering your password. If you use the web to access critical information (such as online banking, or medical information) ensure that the site uses some type of secured method of encryption. You will know this if the site's URL begins with an "https." SSL and Secure HTTP are sometimes indicated by a tiny lock in a corner of the page. If there is no encryption then it maybe possible for unauthorized users to view and/or capture the data you enter and later access the account using a "sniffer." A sniffer is a tool that captures all "clear text" or unencrypted data. SSL and Secure HTTP encrypts data so that it looks like gibberish to tools like sniffers.

Techniques to manage all of your passwords

It is best to memorize your passwords however if you have literally scores of passwords from work, home, online business ventures and the bank and you do not have a photographic memory, you may want to write them down and put it in your wallet. This simple and practical task is what author of Beyond Fear, and system security phenomenon, Bruce Schneier, recommends as does Senior Programmer for Security Policy at Microsoft, Jesper Johannson.

Using Password Management applications such as Password Safe, a free Microsoft application for storing passwords, and Password Vault (also free) can help you to effectively manage your passwords.

Another management technique is to allow Windows (and other Operating Systems) to automatically fill in the data. This is great for trusted SECURE environments such as home systems in which you don not need to hide any account information from anyone, but not such a good idea for the work environment. It should also be noted that systems without a high level of Internet security (protected with firewalls, updated patches, NAT enabled, etc) should not use the auto fill features as the passwords are many times stored on the system in clear text making it easy for malicious code such as spyware, trojans and worms to steal your passwords and account information.

The greatest thing you can do to protect your password is to be aware that at every moment someone somewhere would love to access some or all of your accounts. It is not always cyber criminals looking for you banking information, sometimes it is just curious people who happen upon your username & password. It may even be someone you know. Be aware.