Weak Passwords

Your password is the key to your computer -- a key much sought-after by hackers as a means of getting a foothold into your system. A weak password may give a hacker access not only to your computer, but to the entire network to which your computer is connected. Treat your password like the key to your home. Would you leave your home or office unlocked in a high crime area?

Experiences described in Case 1 and Case 2 demonstrate the importance of passwords and how hackers learn them and exploit them.

Too many passwords are easily guessed, especially if the intruder knows something about their target’s background. It's not unusual, for example, for office workers to use the word "password" to enter their office networks. Other commonly used passwords are the computer user's first, last or child's name, Secret, names of sports teams or sports terms, and repeated characters such as AAAAAA or bbbbbb.

  Your computer password is the foundation of your computer security, and it needs to stand up against the tools that hackers have for cracking it. There are 308 million possible letter combinations for a six letter password using all upper case or all lower case letters. A readily available password cracker can check all of them in only 2 minutes 40 seconds.

Here are some simple guidelines for strong passwords.

  • It should contain at least eight characters.
  • It should contain a mix of four different types of characters -- upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
  • It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.
  • You should be able to type it quickly, so that someone looking over your shoulder cannot readily see what you have typed.
  • It should be changed at least every 90 days to keep undetected intruders from continuing to use it.

Almost all computer operating system software programs on the market today that store passwords in encrypted format store the last character in the clear. All password cracking programs know this, so that means one less character for them to crack. This is one of several reasons why numbers and special characters should be toward the middle of your password, not at the beginning or end.

You can check how well your password will hold up against a hacker by going to the web site of software developer Symantec. This site has a program that tells the maximum number of possible combinations a computer might have to guess in order to break your password, and how long it would take your computer to check all these possible combinations.

As noted above, a six-letter password using all upper case letters or all lower case letters has 308 million possible letter combinations. This is easily broken within a couple minutes by automated password cracking programs that hackers can download from the Internet.

With some combination of both upper and lower case letters, a six letter password has 19 billion possible combinations. If you increase the password to eight letters and use both upper and lower case letters, there are 53 trillion possible combinations. Substitute a number for one of the letters, and there are 218 trillion possible combinations.

Substitute one of the special characters for another one of the letters, and you have the recommended type of password -- at least eight characters, including at least one upper case letter, lower case letter, number, and special character or punctuation. This has 6,095 trillion possible combinations -- still theoretically crackable, but requiring a more sophisticated program, a far more powerful computer, and far more time. The Internet address for the Symantec site where you can check your password is www.symantec.com/avcenter/security/passwords/passwordcheck.html

The password used for logging on to your office computer should be different from the password you use to log in to a web site on the Internet. The password used to log in to a web site is far more exposed to potential compromise. Any time you log in over an external network, your password is vulnerable to being stolen unless it is encrypted. Using a separate and unique password for your office computer helps protect the security of the office network.

Once you have selected an effective password, protect it. Resist the temptation to write your password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on your automated teller machine (ATM) card, would you? You should have different passwords for different accounts, but not so many passwords that you can't remember them. Do not allow anyone to observe your password as you enter it during the logon process.

Do not disclose your password to anyone, not even to your systems administrator or maintenance technician. They have no need to know it. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for your password, be suspicious (for reasons discussed under "Social Engineering" and in Case 2).

Use a password-locked screensaver to make certain no one can perform any activity under your User ID while you are away from your desk. These can be set up so that they activate after the computer has been idle for a while. Strange as it may seem, someone coming around to erase or sabotage your work is not uncommon. Or imagine the trouble you could have if nasty e-mail messages were sent to your boss or anyone else from your computer, or your account were used to transfer illegal pornography.

Owing to the important of user identification and the many problems with passwords, considerable research is now focused on the development of biometric identification systems. In the future, password access to networks containing sensitive information will probably be replaced by some form of biometric identification such as a fingerprint scanner.1

1. "Fingerprints May Soon Replace Passwords," National Security Institute Advisory, December 1998, p. 5.