frustrate-password-crackers.html

SECURITY ALERT BLOG

MORE ON PASSWORD SELECTION

It has been a few years since we posted this, and it seems like things just don't change very quickly when trying to avoid the sophosticated malware flooding the internet today, so, I believe it wise to remind everyone just how serious it is.

If you are like so many of us everyday Internet users, you probably have had to create or change your password to access important web services like bank accounts, email accounts, various news service subscriptions, etc.

Mike Delaney wrote this article a couple of years ago. With the increasing spread of on-line threats to our personal privacy, it's still a valuable guide to help us avoid potential financial loss and Identity Theft.

... Richard

How to Frustrate Password Crackers

8 Tips by Mike Delaney

"Some time ago, I was one of the most prolific contributors to one of the most popular newsgroups on Usenet. The newsgroup's purpose was to provide fraudulently-obtained, but valid, passwords for websites.

The process there is fairly straightforward: someone posts the web site address of a site that they want (free and illegal) access to. Several group members with colorful nicknames then "run" the site. If a valid username/password is found, it is emailed to the requestor, who in turn publicly heaps praise on the grantor, thus inflating his or her ego. My colorful nickname was "PassBandit".

Here are some tips to ensure that your account is not the weak account that the other "PassBandit"s of the world compromise:

1. The password is more important than the username. Do not assume that because you have an unusual username (including e-mail addresses), you can choose a simple password.

2. Make your reminder question tough and unique -- something such as "What was my first pet's name?".

3. Do not use your username as the password. Similarly, do not use a password that "fits" with the username. The may be cute, clever, and easy to remember, but username:password combinations such as intel:inside, moody:blues, hewlett:packard, or foghorn:leghorn will be compromised very quickly.

4. Make every password AT LEAST 6 (preferably more) characters long.

5. Use a mix of upper- and lowercase letters, and numbers -- and, if allowed, include symbols, i.e., "Hammer*shreW" or "booKbuicK-720". The more variety your password contains, the less likely that it will be guessed.

6. Do not use a single word as your entire password. At several hundred guesses per second, my software could (and often did) go through entire unabridged dictionary files, many megabytes in size, and in several languages in no time. Combine two unrelated words, such as bookbuick or hammershrew.

7. Change your password frequently if the site gives you that option.

8. Do not use the same username/password combination at multiple sites.

I've grown out of "PassBandit", and it no longer holds a thrill for me. Instead, I've hopped the fence and teach loss prevention topics. But there are thousands of "PassBandit"s out there looking to get into your website stash. Don't make it easy for them."
-----------------------------------------------------------
About the Author
Mike Delaney is a shoplifting prevention trainer with over 20 years experience as an expert shoplifter, and almost 10 years stopping them. He is the author of "How to Beat Shoplifters and Increase Profits", offered by Bison Creek Author Services, http://bisoncreek.com