What All A Password Should Never Be

Posted on July 27, 2007. Filed under: Videos |

I. Passwords should never be:

  • Any word in any dictionary, in any language
  • Any formal name or nickname, including spouse's, children's, and pet's
  • Any mythological or fictional character or race
  • Any name of a place (city, country, cross roads, forest, or place of natural beauty), real or fictional
  • Fictional terms
  • Titles of movies, books, compositions
  • The name of any author, composer, musician, actor
  • Any special number
  • Acronyms
  • Phrases
  • Fables or legendary characters or places
  • Combinations of letters or patterns on the keyboard
  • Great license plates you've seen, one2nv, 3vom, ibuy4u, or neat word/letter combinations, aTdHvAaNnKcSe
  • Religious figures, places, or events
  • Anything you can imagine being collected into a list

Examples of bad passwords include: characters and races from Star Trek, the appendices from the Lord of the Rings, pi, e, and the golden ratio, zip codes, THX1138, names of asteroids, names of bacteria, names of viruses, names of algae, names of fungi, names of beers, transliterated words from the hindu, chinese, russian, yiddish, or any other alphabet, cartoon characters, and a few specifics: letmein, youreok, zorkmid, zorro, wonderbread, upchuck, unixsuck, qwerty, zaq1234, lmnop, klingon, justforthe, hosannah, hesdeadjim, beammeup.

If a password fits in a list, you can presume someone has made up that list.

II. Passwords should never be a simple algorithm applied against something in category I, such as:

  • The "word" backwards
  • Substituting numbers for vowels, r1ch2rd for richard
  • Common substitutions for letters, 3 for e, mov3
  • Appending or prefixing digits, apple639 or 123apple
  • Appending or prefixing special characters, apple@ or $klingon

III. Passwords should not contain information that can be automatically gathered by knowing your user name:

  • Your user name
  • Your user index/number (for Unix the UID and GID)
  • User name owner information (for Unix the gecos field) which commonly contains your name
  • Information derivable from this information: your initials

This category is similar to the first category. However, wheareas category I is static, category III depends on your account information and is dynamic.

IV. Passwords should not contain personal information about you that can be gathered if you are targeted:

  • Your social security number
  • Your student ID number
  • Your phone number, your mother's phone number, your mother's maiden name
  • Your passport number
  • Your street address, the address where you were born
  • Your license plate number
  • Serial number from your camera, computer, stereo

In summary, a good password needs to be something that cannot be derived in a semi-automatic manner. Categories I-III represent known information or easily derived information that can be exhaustively applied by a computer to break your password. Category IV represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem like a very remote possibility, if you are ever personally targeted, it is potentially much more damaging to you.

Two final tips on password selection. First, make sure you know how many characters the system allows for a password: a good 15 character password may become a terrible password if the system only uses the first 8 characters. Second, check your password to make sure it doesn't duplicate a bad password: a (usually) good personal password generation algorithm can generate a bad password; the good and bad may be the result of orthogonal approaches intersecting with a bad password. For example, the potentially good password mxvhall would be bad if your name was Mary Xavier Virginia Hall.

source: http://computing.wayne.edu/accessid/badpwd.php


Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: