Spectrum - Volume 18 Issue 19 February 1, 1996 - Keeping Your Passwords Safe

A non-profit publication of the Office of the University Relations of Virginia Tech,
including The Conductor , a special section of the Spectrum printed 4 times a year

Keeping Your Passwords Safe

By Information Systems Staff

Spectrum Volume 18 Issue 19 - February 1, 1996

Imagine the keys to your house falling into the wrong hands. All your belongings-your computer, stereo, personal possessions-are there for taking or destruction. Once they have your keys, your house is wide open; they can do anything they want.

Like the key to your house, your password is the key to your online home and allows access to anyone who has a copy. With the growth of networking, attempts to guess passwords and misuse accounts have become increasingly common.

We often don't stop to consider either the value or vulnerability of our accounts. Perhaps we feel that our accounts are uninteresting to others, that a hacker won't bother with them. Unfortunately, in addition to your account, your password may provide a hacker with access to various other systems and services in your name. For example, they might:

* read and delete your e-mail, and prevent you from getting it;

* engage in illegal activities, and make it look like you did it;

* change your account, files, or WWW home page to whatever they want;

* lock you out of your own account so you can't fix these problems.

There are two basic guidelines for keeping your password secure: keep it secret, and make it hard-to-guess/easy-to-remember.

First, keep your password secret. Like sharing the key to your house, you might occasionally give a friend your password. However, make this a rare occurrence, and make sure your friend understands the need for secrecy. Also, avoid writing down your passwords. Written passwords provide one of the easiest sources for hackers. Better to find ways of remembering your password (discussed below).

Second, make your password hard-to-guess/easy-to-remember. The most common method of cracking an account is guessing. Hackers first try using the account name as the password, then variations on the account name (backwards, uppercase). They might try the names of your spouse, children, or pets, if they know them or can find them out. Finally, more sophisticated hackers run a special program that tries every word in a large dictionary. In his recent article "Foiling the Cracker," Daniel V. Klein summarizes the results of a test on real-world passwords. A password-cracking program was able to guess 25 percent of the passwords, 2.7 percent in the first 15 minutes alone.

Here are some guidelines for choosing a password:

1. Avoid using easily guessed words such as your name, userid, PID, or any variation thereof (backwards, changing case, etc.).

2. Avoid words referring to anything noticeable about you: the name of your spouse, child, pet, your favorite football team, or literary character.

3. Use words longer than six letters; hackers try short words first.

4. Use different passwords on each account you have.

5. It is safer not to use any word that appears in a dictionary. (Daniel V. Klein said "...if they exist in some dictionary, they are susceptible to directed cracking.")

Try some of these techniques to produce nonsense words:

1. Use two words that normally don't go together, separated by a punctuation mark or number. For example, "star6tan" would be hard for any system to guess.

2. Use the first letters of a phrase you can remember: "I sure do love my spouse" becomes the difficult to crack "Isdlms."

3. Use some phrase that you are reminded of when typing your password. For checking your e-mail, you might use "Oh boy notes from my friends" which becomes "Obnfmf."

The weakest link in any security system is usually the people who use it. As more and more business moves online, we need to be increasingly concerned about security. By being protective of and careful with your passwords, you can greatly decrease the odds that anyone will break into and misuse your computer accounts.