 |
MyPa55w0rd
— Thomas Ng
Passwords...can't live with them, can't live without them.
Many of us have many passwords, pins, or secret phrases to
secure our login, online banking accounts
or research documents from unauthorized accesses. That
explains why we sometimes like to use short, simple, easily
guessable passwords for ease of remembering them☺
Be warned that there are many ways to get your passwords, and
hackers out there loves cracking them!
One age old
method is simply to try guessing personal information about
the person. For example, his/her nick name, pet’s name,
birth day or car license plate number. This is
normally done by repeatedly typing through the user's
information at the login session.
A more effective method is to deploy a dictionary
attack, where a utility tool —
at speeds ranging from tens to thousands per second —
automatically tries all the words from the list until a
match is found. The list and tool are both easily
downloadable from the Internet and requires minimal
configuration from the attacker.
What makes it more
perverted is that Internet worms, such as the Gaobot worm,
which has more than a thousand worm variants, uses a
limited dictionary list as one of its attack vector.
What does this mean to you? Simple! Avoid using
dictionary words and don't simply append or prepend numbers to them, eg.
“password123”, “Ann2009”, “carno2853”, or “Bday310860”, as
this closely resembles a meaningful word. That’s how a
dictionary list is built -with a combination of possible words. A good password
cracking tool can provide the attacker/hacker with the
option to tweak each word a little, creating more
combinations to test for a match. That’s how wicked it can
be!
So, what is considered a good and strong password?
Must it be a long string of garbage? Not really. Look
at the text “MyPa55w0rd.Edu”. It is 14 characters
long, which is sufficiently long but not too long to break
your standard application. It has a mix of upper- &
lower-case letters, alphanumeric and special characters, and
it doesn’t really look very cryptic. Some would
probably remember it before they finish reading this article, but
some would dread using this format for sure. Don’t
want to be sorry later? The choice is yours.
For System Administrators and alike, you may Google for
'password audit tools' to get some free tools to test
against accounts on your systems. Whatever tools you
chanced upon, beware that they may be disguised as malware
themselves. Finally, do use this knowledge
responsibly.
I hope this article has given you an idea of the dangers of
using weak passwords. Within the next few months,
Computer Centre will be implementing a Stronger Password
Policy which requires the use of upper- or lower-cases,
alphanumeric and special characters in the password.
We will broadcast the details once it is ready.
 |
