Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking (http://www.go4expert.com/forums/ethical-hacking-forum/)
-   -   Choosing A Secure Password (http://www.go4expert.com/forums/choosing-secure-password-t533/)

pradeep 17Dec2005 14:25

Choosing A Secure Password
 
Have you ever signed up for an online service and entered your favourite password, the one you always use for everything, only to be told that you're using a dictionary word and you need to change it? Or that you don't have any numbers in it? Or it's too short, too long, there's two letters the same, no mix between uppercase and lowercase, or even that there's more than one occurrence of the same letter! Annoying, huh? Some websites go further than others. However, all these "rules" (or password techniques), as annoying as they may be, are designed to make your password more secure. After all, you don't want your account hacked do you?

The idea of passwords probably appeared many centuries ago. Remember the phrase "Open Sesame"? According to the book "Authentication: From Passwords to Public Keys" by Richard E. Smith, centuries ago in Ali Baba and the Forty Thieves, "Open Sesame" was devised as a password to move a stone out of the way, thus opening up a cave filled with treasure. Smith goes on to say how the guards of that time used "passwords" to allow people entry into the cities. But the cave didn't require a guard, because it had an automatic password entry facility. It was magical, and impossible to explain (for those days, anyway) but it was automatic and required no guard to be present.

Likewise is the idea of using passwords today. The Internet is known as the "Information Superhighway", but if there was a policeman at every highway exit (or every password entry form), how tedious would that be? How long would it take if you were logging in to your Hotmail account, for instance. That's why automatic and machine powered password verification is rather quite helpful.

But, even more so you need to have a secure password. It's probably much easier for a hacker to trick a machine than it would be to trick a human being. Simply put, machines are stupid - they have no idea who you really are, without your password. But these machines are also very useful.

So, how to create and keep a secure password? The number one rule is don't tell anyone your password. I don't know the stats here, but I'd hazard a guess that there are more security breaches by people who know the password than those who use highly complex hacking tools to "guess" the password. Also, don't make the mistake of writing your password down. Remember it instead! No-one can take it out of your mind (at least not yet anyway...you never know where technology will go these days), but anyone can read it on a piece of paper.

There should not normally be any reason why you should give your password to someone else, but if you absolutely have to, ensure that it is someone you would trust with your life! And if you absolutely have to write it down, try as hard as you can to disguise it. And, don't leave it near your computer - carry it with you in your wallet. But, just remember that the safest way to keep a record of your password is always in your mind.

The next rule is to make it long, but not too long. You need it long enough so that it takes longer (thereby making it harder) for a hacker to guess it, and you need it short enough so you remember it! Ideally, passwords should be at least eight characters long, but not more than twenty.

Next, make sure your password isn't easy for anyone to guess. If your password is "fido", and everyone who knows you knows that you have a dog called Fido, then anyone who knows you can guess your password! Make sure you don't use anything that anyone else would know, and it's also a good idea to keep away from dictionary words - as there are hacking utilities that run through a dictionary and check each word against the password.

There's no reason why you can't use "fido" as your password as long as you combine it with something else. Remember that eight characters is a good minimum length to stick to, so let's add on to our dog's name. To make a password even more secure, it's a good idea to include numbers and a mix of uppercase and lowercase letters. If we changed our password to "Fido10Dog", we'd be more secure. At ten characters long, we've mentioned our dog's name, that our dog is in fact a dog, and how old our dog is. Even to someone who knows you have a dog called Fido that is ten years old, this password is hard to guess.

Another good rule to stick to is to change your password frequently. You never know if there's someone who tries daily to hack into your account by trying combination after combination, with the thought that they'll get it eventually. And they'd be right - eventually, they will get there. But if you change your password often, then the work they've done so far would be a waste - so they'd just have to start all over again. Try to aim on changing your password every two months. Of course, you'd be even more secure if you changed it every two weeks, but only do this if you have a good memory! Also, make sure that you don't use the same password that you have used in, say the last year. Just another little step to making it all as secure as possible.

To sidetrack for a bit, and for a small laugh, I once heard a story about a system administrator who got a call from a user every Monday morning. The user would forget her password over the weekend, and every weekend, so would call up on Monday and say she couldn't log in. The administrator would ask her what her password is, and get the reply "I forgot". After a few weeks of this same routine, the administrator had a bright idea, and changed her password to "iforgot". When she called up the next Monday: "What's your password?" "I forgot". And the problem was solved!

By the way, I need to make this clear for those who didn't pick it: the password used in that small joke wasn't very secure.

That joke also brings forward another point that is worth noting. Technical support personnel should never ask for your password over the phone, or at all for that matter. If they do, you should refuse to tell them. For two main reasons: anyone else could be listening on your side or their side (or even in between), and especially if they called you: how do you know that you really are talking to a technical support officer from the company they say they are representing?

Hopefully now you have been equipped with a few techniques on choosing a great and secure password. You've also learnt a bit about passwords and their history.

jhunkenpachi 13Sep2010 18:05

Re: Choosing A Secure Password
 
how to hack password by using MD5

pradeep 13Sep2010 23:21

Re: Choosing A Secure Password
 
Kindly read this MD5 tutorial first to understand what it is!


All times are GMT +5.5. The time now is 17:44.