Internet & Network Security


  
  1. Overview
  2. Do and Don't of Managing Your Password
  3. Techniques for Generating "Good" Passwords





Overview
     
"Cyberspace, in its present condition, has a lot in common with the 19th Century West. It is vast, unmapped, culturally and legally ambiguous, verbally terse (unless you happen to be a court stenographer), hard to get around in, and up for grabs. Large institutions already claim to own the place, but most of the actual natives are solitary and independent, sometimes to the point of sociopathy. It is, of course, a perfect breeding ground for both outlaws and new ideas about liberty."
- John Perry Barlow, Crime and Puzzlement

I would love to tell you that the Internet is a safe place and that there is no reason for you to protect your password. Unfortunately, there are a LOT of people out there who would LOVE to break into your account and use your account as a base for operations. How prevalent is this? According to Mike Godwin, Chief Legal Counsel for the Electronic Frontier Foundation, it's "fairly common."

The main defense against people who want to break into your account - a.k.a. "hackers/crackers" - is your password. Keep your password secure, and you should never have anything to worry about. Give your password to others, or write your password down and put it near your computer, and ... well, you get the picture.





Do and Don't of Managing Your Password
     
There are some key points you need to remember to protect yourself and your account. If you take a close look at following "do and don't,", they are basically flatout a good common sense. (However, we're living in an era when a "good" common sense becomes a rare commodity)

Remember, "security" means preventive proactiveness, and you should never be confused it with "scooping aftermath."

NEVER give your password to *ANYONE*

The whole purpose of having a password in the first place is to ensure that *NO ONE* other than you can use your account.

NEVER write your password down

Especially never write your password anywhere near your computer.

NEVER let anyone look over your shoulder
         when you enter your password

"Shoulder surfing" is the most common way that accounts are hacked. Here's a common sense password etiquette you may take a look.

NEVER e-mail your password to anyone

Sounds so evident however you'd be really surprised to find out how many people completely disregard the security when e-mailing. Remember, your e-mail is by nature a unencrypted, text file that anyone can read if one can get a hold on yours.

DO change your password on a regular basis

There is no better way to thwart a would-be hacker/cracker than to change your password as often as possible. Your system administrator should be able to tell you your system's recommendation on how often you should change your password, but a good rule of thumb is to change it at least every three to six months. (I do agree with you on that this is such a hassle, however)

DON'T pick a password that is found in the dictionary

When you set your password, it is encrypted and stored into a file. It is really easy for a "hacker/cracker" to find your password by encrypting every word in the dictionary, and then looking for a match between the words in his encrypted dictionary and your encrypted password. If he finds a match, he has your password and can start using your account at will.

NEVER use your user id as your password

This is the easiest password to crack. Yet sounds unbelievable, quite number of users are still doing it. If you're one of them, change your password right now!

DON'T choose a password that relates to you personally
         or that can easily be tied to you

Some good examples of BAD passwords are: your name, your wife/husband/sons/daughters' names, your relatives' names, your dogs/cats/pets' names, nicknames, birthdates, license plate numbers, social security numbers, work ID numbers, and telephone numbers. No, this is about neither dealing with an espionage case nor getting "eternally" paranoid. It is just a good common sense!

DON'T use passwords that are foreign words

The hacker can get a foreign dictionary, and ...

DO use a password that is at least . . .

eight characters long and that has a mix of letters and numbers. The minimum length of a password should be no shorter than six characters long.

NEVER use the same password on different systems or accounts

Another common mistake that we all make. Think why you're using a password in the first place.

ALWAYS be especially careful when you telnet or rlogin . . .

to access another computer over the Net. When you telnet or rlogin, your system sends your password in plain text over the Net. Some crackers have planted programs ("snoopers") on Internet gateways for the purpose of finding and stealing these passwords. If you have to telnet frequently, change your password just as frequently. If you only telnet occasionally, say, for a conference trip out of state/oversea, set up a new password (or even a new account) just for the trip. When you return, change that password (or close out that account).
Techniques for Generating "Good" Passwords
     
Never trust anybody who says "Trust me." Except just this once, of course.
- John Varley

The best passwords - the ones that are the easiest for you to remember, and the ones that are the hardest for crackers to crack - are passwords that are like those fake words you used to create when you would cram for a test.

For example, to remember that "the Law of Demand is the inverse relationship between price and quantity demanded," I created the word tLoDitirbp&qd. No one could hack that as a password. Best of all, it is EASY to remember (well, its easy for an Economist to remember).

Here an example for generating good passwords:

Sentence Possible password
a big fat Pig would have 9 wings abfPwh9w
In 1995 we had SNOW in Norfolk I95whSiN
he got 12,000 dollars from lottery, NOT! hg12KflN!

Sentences are easy to remember, and they make passwords that are nearly impossible to break (and please do NOT use these sample passwords as your own password).

If you notice weird things happening with your account:

  1. Change your password IMMEDIATELY!
  2. Let your system administrator know about it.

It is very common for someone, whose account has been hacked, to dismiss the signs as technical problems with the system.

If your account has been hacked AND if you don't take any measure immediately, not only will they have access to your personal files - delete all your files, modify important data, read your private correspondence, and send mail out in your name -, it very often puts the security of the entire system at risk.