Previous Topic: InternationalizationNext Topic: SmPortal/SmTransact Installation and Configuration


About Password Security

Passwords are the earliest and most common security measure. Password cracking is the earliest and most common security hazard. The careless use and maintenance of passwords represents the greatest threat to the security of a network. Thus, it is very important that your users choose a password that is difficult for another user to determine.

This section contains the following topics:

Cracking Passwords

Keeping Passwords Safe

Cracking Passwords

A password is stored on the system in encrypted form. It has been run through an encryption algorithm. There should be no algorithm that will take a password in encrypted form and give back the original password, so that crackers can't find out a password just by asking the system. Instead, they use a program like "Crack" to breach password security. The Crack program works by taking strings of characters and encrypting them, then comparing the encrypted text against the password in encrypted form. If the two encrypted versions are the same, then the string of characters is the password.

It would take too long to simply try every possible combination of letters you could have as your password -- over 100,000 years on a reasonably fast machine. So Crack tries the most likely combinations. It starts with everything it can find out about you on the system, like your login name, your full name, your address, your social security number, etc. Trying all of these takes a few seconds.

Then it moves on to a huge dictionary containing words from all languages, place names, people names, names of characters in books, jargon, slang, and acronyms. It tries all of them as your password. This takes several minutes. After Crack is done with that, it tries variations on those words, such as:

It tries nearly every combination, and often successfully completes the task.

Keeping Passwords Safe

There are tricks to creating a good password that can't be easily determined yet can be remembered. System Administrators often set up strict password guidelines for their users. Here are some common DOs and DON'Ts:

DOs

DON'Ts

As a security precaution, many companies analyze their employees' passwords using the very same tools that attackers use. This is a good practice, but in most cases, the only way to ensure that password guidelines are followed is to have users change passwords through software that enforces the rules.