Team EaSE Podcast - Hils & Bo discuss passwords and their importance

Some warnings - buses that we have inadvertently stood in front of!

Creating a strong password

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

• Password length should be around 12 to 14 characters if permitted, and longer still if possible while remaining memorable
• Use randomly generated passwords where feasible
• Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., dates, ID numbers, ancestors names or dates).
• Include numbers, and symbols in passwords if allowed by the system
• If the system recognizes case as significant, use capital and lower-case letters
• Avoid using the same password for multiple sites or purposes
• If you write your passwords down, keep the list in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer

[Extract from: http://en.wikipedia.org/wiki/Password_strength ]

Guessing & Sarah Palin

Passwords can sometimes be guessed by humans with knowledge of the user's personal information. Examples of guessable passwords include:

• blank (none)
• the words "password", "passcode", "admin" and their derivatives
• a row of letters from the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop
• the user's name or login name
• the name of a significant other, a friend, relative or pet
• their birthplace or date of birth, or a friend's, or a relative's
• their automobile license plate number, or a friend's, or a relative's
• their office number, residence number or most commonly, their mobile number.
• a name of a celebrity they like
• a simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing the order of the letters.
• a swear or curse word

Personal data about individuals are now available from various sources, many on-line. Attackers who know the user may have information as well. For example, if a user chooses the password "YaleLaw78" because he graduated from Yale Law School in 1978, a disgruntled business partner might be able to guess the password.

Guessing is particularly effective with systems that employ self-service password reset. For example, in September 2008, the Yahoo e-mail account of Governor of Alaskaand Vice President of the United States nominee Sarah Palin was accessed without authorisation by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband.

[Extract from: http://en.wikipedia.org/wiki/Password_cracking ]

In short...

• Make a strong password preferably with 13 characters or more - uppercase, lowercase, numbers & special characters
• Keep it as safe as you can
• Never send it to anyone without splitting it into several parts
• Change it frequently
• Passwords do not completely secure your data - they are only a part of it and finally:
• Try not to walk in front of a bus!