[ news_security_news ]
People Still Not Grasping Password Security
Scott Mcintyre
Contributing Writer
2006-06-14
 Insider Reports RSS Feed
After all these years you would think basic password security would be drilled into everyone who uses the Internet, yet time and time again I always come across people who still have not learned the basics.
Really what is so hard about remembering a password that is not text only? One simple `odd` character in the word would make it a reasonable secure password. Yet people still do not get the message that adding just one character really makes a difference.
When I see people who get compromised due to passwords it just makes me cringe. I have yet to understand why they do not learn until someone takes advantage of their weak password. It happens so often now I even have an example ready now for weak passwords.
"You can still have a secure password which is easy to remember, it does not have to be full of random characters, just one or two really does make a difference.
Take my name for example, Scott Mcintyre, that's 13 characters long and easy to remember all you have to do now is throw a few odd characters in there such as,
Sc0tt`Mcintyr?e
Which is easy to remember, it includes capitals and has a number, and is more than 10 characters."
Do you test your passwords?
Now it brought me on to the fact that does anyone actually test their password against dictionarys? Both users and system administrators should test them regularly and the reaction I get when I guess the passwords is quite strange as if it has never happened before.
System Administrators
I personally only work with *NIX and test passwords atleast once a week on every single server with user accounts I manage. On one time work the successrate for more than 100 passwords is generally 1-10%, however today I did get a 58% successrate which sparked this entry.
As a *NIX administrator I feel it's my job to ensure peoples passwords are updated also, I often use tools like John The Ripper against the /etc/shadow file to acheive this. You may view my guide http://www.hostgeekz.com/guides/Security/67/Password_Security.htm if you are unsure how to do this.
End Users
Personally I feel end users should not have to test their passwords and should be using a password that gives them 100% reassurance. Ultimately if you feel the need to check your password against dictionarys then your password is not good enough.
Multiple Locations
Do you use your password in multiple locations? If so why? While it might be easy to remember it always leads to problems if by the off chance your password was ever compromised. I feel this form of basic password security is the one that is the one that is not taken serously the most. I used to do it myself however have since realised it was bad just because of the number of people I have been bad things happen to. There are methods of keeping your same password principal yet not using the same password. Take our above example,
Personally I feel end users should not have to test their passwords and should be using a password that gives them 100% reassurance. Ultimately if you feel the need to check your password against dictionarys then your password is not good enough.Do you use your password in multiple locations? If so why? While it might be easy to remember it always leads to problems if by the off chance your password was ever compromised. I feel this form of basic password security is the one that is the one that is not taken serously the most. I used to do it myself however have since realised it was bad just because of the number of people I have been bad things happen to. There are methods of keeping your same password principal yet not using the same password. Take our above example,Sc0tt`Mcintyr?e
You could change the position of the question mark for each different location, such as your instant messenger password could be S?c0tt`Mcintyre and your email could be Sc?0tt`Mcintyre, this is just different variations yet it keeps your password simple to remember.
Changing passwords
Do you change your password after a certain period? This is generally a good idea if you use the same password in multiple locations. Personally I do change my passwords around once every 3-4 months. Personally I do it so I can remember them easier, newer passwords will stay fresh in the mind whilst older passwords can be forgotton and confused with others.
Conclusion
As it seems I have joined the list of thousands, possible millions, of other articles/rants about password security but I think it has to be said that it's quite shocking the number of people that totally ignore the basic concept.
Add to Del.icio.us | DiggThis | Yahoo! My Web | Furl
About the Author:
Scott Mcintyre is a system administrator and webmaster from the United Kindom. His blog can be found Scott Mcintyre :: cPanel Tutorials
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
