Advanced Password Services (APS) Guide › About Password Security

About Password Security

Passwords are the earliest and most common security measure. Password cracking is the earliest and most common security hazard. The careless use and maintenance of passwords represents the greatest threat to the security of a network. Thus, it is very important that your users choose a password that is difficult for another user to determine.

This section contains the following topics:

Cracking Passwords

Keeping Passwords Safe

Cracking Passwords

A password is stored on the system in encrypted form. It has been run through an encryption algorithm. There should be no algorithm that will take a password in encrypted form and give back the original password, so that crackers can't find out a password just by asking the system. Instead, they use a program like "Crack" to breach password security. The Crack program works by taking strings of characters and encrypting them, then comparing the encrypted text against the password in encrypted form. If the two encrypted versions are the same, then the string of characters is the password.

It would take too long to simply try every possible combination of letters you could have as your password -- over 100,000 years on a reasonably fast machine. So Crack tries the most likely combinations. It starts with everything it can find out about you on the system, like your login name, your full name, your address, your social security number, etc. Trying all of these takes a few seconds.

Then it moves on to a huge dictionary containing words from all languages, place names, people names, names of characters in books, jargon, slang, and acronyms. It tries all of them as your password. This takes several minutes. After Crack is done with that, it tries variations on those words, such as:

• any word, written backwards
• any word, with a punctuation character at the end
• any word, with a punctuation character at the beginning
• any word, with a punctuation character in the 3rd character place
• any word, replacing all e's with 3's
• any word, capitalized
• any two words, put together with a number between them

It tries nearly every combination, and often successfully completes the task.

Keeping Passwords Safe

There are tricks to creating a good password that can't be easily determined yet can be remembered. System Administrators often set up strict password guidelines for their users. Here are some common DOs and DON'Ts:

DOs

• Use a password that contains non-alphabetic characters, e.g., digits or punctuation.
• Use a password that is easy to remember so that you do not have to write it down.
• Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking over your shoulder.
• Change your password periodically.
• Change your password if you suspect that your account has been compromised.

DON'Ts

• Use your userid in any form (reversed, capitalized, doubled, and so on)
• Use your first, middle or last name in any form. Do not use your initials or any nicknames you may have.
• Use your spouse, significant other's, or child's name.
• Use a word contained in English, or foreign language dictionary.
• Use other information easily obtained about you. Examples include your telephone number, identification number, brand of your automobile, etc.
• Use a password of all numbers, or a password composed of the same character.
• Use a password shorter than seven characters.
• Write your password on desk blotters, calendars, or store it on-line.
• Reveal your password to anyone.

As a security precaution, many companies analyze their employees' passwords using the very same tools that attackers use. This is a good practice, but in most cases, the only way to ensure that password guidelines are followed is to have users change passwords through software that enforces the rules.