 |
[RC] Picking passwords - David LeBlancEd & Wendy Hauser "and user-chosen passwords tend to be very weak. There's a serious risk here even if your system isn't compromised. Could you give us some advice as to how to choose passwords that are hard to guess? Sure - one thing that makes the problem more complicated is that it depends on the system the password is used on. For example, on modern Windows systems (Windows 2000, Windows XP, Windows 2003), very long passwords are supported. On older Windows systems, the limit is 14 characters. On other sytems, like some web sites, password length might be restricted to a relatively small number of characters (6-8). The difficulty of guessing a password depends on how complex it is, how long it is, and whether it occurs in a dictionary. One thing to always avoid is using your name, or the name of a family member or one of your animals. If I can run through a dictionary of only 50,000 words and get your password, that's actually an easy attack unless there's something to limit me to a few passwords at a time. I'll spare you the math of figuring out just how many passwords exist for a given character set and length, but longer passwords are in general better than short but complicated passwords. For example, "C@mpl3x!" is in many respects a great password - it uses upper and lower case letters, numbers, and symbols. I think most people would find it hard to remember. What's actually a lot stronger is "INeedToCleanMySaddleAndGoRide!", and I think it is easy to remember. I have heard that while: "horsesandmules" would be weak because all the words are in a dictionary It actually isn't all that bad. The whole thing isn't in a dictionary. You couldn't use it some places because it isn't complex - it only contains one character set. If possible, I'd go longer, like "WeHave7HorsesAndMules", or even "WeHave7Horses&Mules". "selumdnasesroh" would be better and "selumdna7sesroh" even better Those are both hardr to guess, but also harder to remember and type. it may even be easy to remember if you owned 7 horses and mules. One other issue is using the same password in more than one place. Ideally, people should have different passwords everywhere they have an account. In reality, most people can only remember 2-3 passwords and more places than that ask for one. The thing to remember here is to a) try not to do it - resort to pieces of paper in your wallet if you have to, b) if you do reuse passwords, use the same passwords on places that have the same assets - for example, I have a couple of passwords that aren't all that good that I use for miscellaneous web pages. If you guessed it, you couldn't steal anything important. In an ideal world, we'd all have smart cards and never have to pick passwords, but that's a longer story. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ridecamp is a service of Endurance Net, http://www.endurance.net. Information, Policy, Disclaimer: http://www.endurance.net/Ridecamp Subscribe/Unsubscribe http://www.endurance.net/ridecamp/logon.asp Ride Long and Ride Safe!! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|