Here’s some interesting information on passwords, what make good ones, what make bad ones, and how your passwords can get hacked in to. I’ve been a unix administrator since 1996 and a Linux administrator since 1996. I’ve worked a lot with passwords and secure technologies and I am very familiar with password cracking technologies.
Security is one of those things that is very easy to understand at a basic level and also one of those things that too many people cut corners on. It’s simple; the more secure something is the less convenient it is. So, if you your intent is to have something as convenient as possible you can also bet it won’t be very secure. You’ll see what I mean when you read the password guidelines below (all the things that make it easy to remember a password ALSO make it easy to crack). Passwords are an old technology that is prone to being cracked. But there are a few things you can do to keep 99.99% of the bad guys from racking your password(s).
- Don’t use the same password for everything
- Don’t use dictionary words as your password
- Don’t just replace some characters with a 1 and some with a 0, it’s predictable
- Don’t use just a string of numbers for your password
- Don’t write it down on anything and/or carry it with you in written form
Following is a list of OK things but they are still kind of weak; better if you do them all. In fact, if you follow all these rules, most nackers/crackers won’t be able to crack your password.
- Prepend AND append numbers to your standard, non-dictionary word, password (don’t use the year or a phone number, use 2 or more numbers you like)
- Use camel case in the letters (thIsIsCaMeLcaSe)
- Use special characters like @ or ! or &
- Make sure the password is 9 or more characters in length. EX: 42Sq@m7!Flf
- Change them around from time to time
Operating System Password Handling
Windows uses a predictable password hash (still) to store passwords in. Sure, it’s encrypted but it has to be unencrypted for the system to validate the password you enter against the stored one = vulnerability. The biggest issues I have with this is that a person can (and I have done this to prove this very point) create what’s called a hash table that has all of the possible passwords, given certain parameters (use A-Z, 0-9, special characters, case sensitive, 13 or less characters in length, etc), matched with the passwords’ encrypted hash form. This sounds technical but it takes the vast majority of the work out of cracking a password. EX: A hacker installs a virus on your Windows desktop. The next time you log in that virus grabs your password hash and sends it to the hacker the next time you are on the internet. The hacker gets a copy of your password hash (looks kinda like this JN47SF&YS:S&SFCHFD:JFF??&%) and then looks up this exact hash is his table. Right next to it in the table is your password in plain text. You’ve been hacked.
Linux adds a random ‘salt’ to every password so that the same password never has the same encrypted hash entry. The hash table no longer works and the hackers are back to brute force cracking … which is too time consuming so they give up (generally). This would be a very easy thing for other operating systems to implement but they don’t for some reason. Like HP’s unix variant, HP-UX, still only allows 8 character passwords (LAME). But even with a nice long password with letters, numbers, camel case, and special characters passwords are still archaic and really should go away as a primary authentication mechanism. What would replace it? Public/private key technology like PGP and GPG. How can operating systems use this you ask? OpenSSL is the package and Linux has been using it for a long time. Web servers that use SSL certificates give you the little lock icon that lets you know you’re secure; that’s good stuff too. Most unix variants support and even provide an SSL package so that’s very cool. Microsoft does not (losers).
The idea is to encrypt ALL the traffic so no one can even get at the password hashes to begin with. With just password authentication there is a time, while authenticating the password, where the data is not encrypted. Even if the data is fully encrypted afterwords it doesn’t really matter that much. Public/private keys allow the entire connection to be encrypted and then you can perform a second layer of security authentication with your password but safely inside the encrypted “tunnel”. Good stuff.
Here are the rules I follow when it comes to the internet, electronic data, and my security.
- For site I don’t care about I will use the same lame password. Like sites that just want to me to register so I can read the news or something. IE: No personal data.
- For site that have some personal data but nothing approaching identity theft type stuff I will use several passwords that I commonly use but strung together.
- For site that require very personal information that would constitute identity theft if someone got it and used it I use long and unique passwords (banks, social security administration, etc.)
- On sites like facebook, myspace, twitter and the like just remember this one rule: If you don’t want everyone in the world to read it or know it about you then just don’t post it at all.
- I have a GPG key that use to encrypt emails and documents and I have the public keys of friends with whom I like to communicate securely with. My GPG pass phrase changes from time to time and it is a difficult one.
- I use OpenSSL technologies on my own servers and I look for secure technologies in everything I do – watch for the lock icon on your web browser and URLs with https://
Here’s some good technologies you can use to make your data and data storage more secure
- TrueCrypt Free and Open Source encrypted software, cross platform
- GPG GnuPrivacyGuard, Thunderbird has an OpenGPG plugin!!
- Roboform Secure Web browser password manager (Windows)
- SplashID for blackberry/desktop/android/etc. Secure Information manager
- KeePass Another password safe, cross platform, even a port for blackberry
- Atomic Helix GPG/PGP integration for the blackberry
- Windows can get SSL (ssh, scp, etc) in several ways; cygwin, openSSL, etc.
- RealVNC remote desktop with SSL built in
- If you have ssh installed you can tunnel a non-encrypted VNC or remote desktop through an ssh tunnel for the same effect.
- WinSCP This is a client for FTP, SFTP, SCP and it’s a good tool to have for any Windows desktop or server.
- PuTTY Good stuff for Windows; ssh, sftp, etc.