SlideShare a Scribd company logo

PASSWORD BEST PRACTICES

Razorpoint Security
Razorpoint Security

The document provides guidelines for creating strong passwords to protect networks and data. It recommends passwords be at least 8 characters long, using a mix of uppercase and lowercase letters, numbers, and punctuation. Passwords should not use personal information, common words, or be written down where others can see. The guidelines emphasize changing passwords regularly to reduce the risk of hacking.

Technology
1 of 4
Download to read offline
Author: Razorpoint Security Team Version: 1.5 Date of current version: 2006-05/01 Date of original version: 2001-04/04 Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved. Password Best Practices ™ [ WHITE PAPER ]
Password Best Practices One of the most overlooked areas of network security is the use of “good” passwords. Extreme care should be taken in choosing your password. If your password is easy to guess, someone may be able to access or steal your data, your money, or your identity. To protect your data, your network, and yourself to some degree, you must select good passwords and secure them carefully. Users are responsible for assisting in the protection of the systems they use. As an Internet security measure, computer and network passwords should be changed regularly. Additionally, the use of different passwords for different systems is recommended so that if an intruder cracks one password and gets into one computer, that same password won’t automatically allow access to other systems. Choosing good passwords can be thought of as more art than science. Criminal hackers (a.k.a. Crackers) have tools that can break any password (or modified facsimile) found in a dictionary. Password guessing and dictionary attacks (cracking) are common ways of gaining unauthorized entry into networks, and even the best passwords can eventually be defeated mathematically, given enough time. The use of good passwords acts as a deterrent against password guessing and cracking attacks, and can make “brute force” attacks (see The Razorpoint Security Glossary) less successful. The following guidelines outline best practices when choosing, maintaining, and protecting your passwords: DO make sure your password is at least 8 characters long. DO use a password with mixed-case letters, numeric characters and punctuation (where supported by the operating system). Do not just capitalize the first letter, or add a number at the end. The more complex a password, the longer it will take to crack. DO use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your fingers while you type. This is known as “shoulder surfing.” (see The Razorpoint Security Glossary) DO change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows), the more frequently the password should be changed. This makes your password a “moving target” and makes cracking and brute force attacks less effective. Regular password changes can also stop continued access of an already compromised account. Change passwords at least every six months. DO try one of the following methods for password selection: Option 1: Explore using two words separated by a number or punctuation, like “Pro%F0otball” or “l|0n&dog” Option 2: Take a word and change the case on some of the letters. Then, either insert a letter or punctuation, or replace some letters with numbers or punctuation (but avoid common substitutions like a->4, I->1). Even better, use a combination of insert/replace: (Example: bomber -> b0mBer -> b0m&Ber -> %0m&Ber) Option 3: This may be the best option for creating a complex password without having to remember it. Start by choosing an area of the keyboard to use for your password. Next, decide on a pattern for the password. For example, take the upper-left quadrant of the keyboard and create two lines using 2ws3ed3e or, better yet, combine that sequence which shift characters to get 2ws#ED3e. With this method, you don’t have to memorize any passwords, you simply have to remember where the pattern starts on a keyboard. (note: It is a bad idea to use these exact examples as your password). ;^) DO NOT use the word “password” as your password, in any form (reversed, capitalized, or doubled). This is not a joke, people actually do this. DO NOT use a network login ID in any form (reversed, capitalized, or doubled) as a password. DO NOT use common names of people or places as a password. DO NOT use keys in a natural progression, like “QWERTY”, or “1234”, or “abcabc”, or “........” ™ May 1, 2006 Password Best Practices v1.5 Page 1 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
DO NOT use a word (forward or reversed) contained in English or foreign dictionaries, spelling lists, or other word lists. These types of passwords are among the easiest to crack. On a moderately fast computer, it is possible to crack a dictionary word-based password in seconds. It is important to remember that generally a computer is doing the guessing, not a human. A computer can be programmed to search through any list of words and try any algorithmic variation. The ways in which users choose passwords are well known to the authors of password cracking programs. DO NOT use words that are acronyms, technology terms, geographical locations or product names (dictionaries for these exist, too). DO NOT use a password of all numbers or alphabetic characters. Mix numbers, letters and punctuation (where supported by the operating system). DO NOT use a password that is simply a word either preceded or followed (or both) by a non-alphabetical character. DO NOT use passwords that match a dictionary word with common “number-for-letter” substitutions. (Examples: a->2, a->4, b->8, e->3, h->4, I->1, l->1, o->0, s->$, s->2, s->5, z->5, etc. as in: airplane -> 4irpl4ne -> 41rpl4ne -> 41rpl4n3) DO NOT use passwords that are words with vowels deleted, or are made lowercase then reflected. (Example: mechanic -> mchnc, or Super -> superrepus). DO NOT use information easily obtained about you. This includes your first, middle or last name in any form, your initials or any nicknames you may have, spouse or children’s names or birth dates, pet names, license plate numbers, telephone numbers, ID numbers, the brand of your automobile (or the one you wish you had), the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user. DO NOT – repeat – DO NOT write passwords on sticky notes, desk blotters, calendars, or store it under your keyboard, under your phone, or online where it can be accessed by others. This is one of the most frequent ways unscrupulous users gain unauthorized access to computer systems. DO NOT use passwords that are so complicated they have to be written down. See above. DO NOT use passwords that you have used in the past. DO NOT share passwords except in true emergency circumstances or when there is an overriding operational necessity. Be sure to change your password immediately after sharing. In an emergency situation, be absolutely certain to whom you are giving your password, and how it will be used. Getting someone to reveal a password by deceit or lying is called “Social Engineering” (see The Razorpoint Security Glossary) and can be very effective in gaining unauthorized access to computer systems. Under normal circumstances a password should never be shared, but if it is, change it immediately after usage. Password Examples Bad Passwords Description Good Passwords Description mypassword Two dictionary words together. T*x4$M8n 8 characters, uses numbers, punctuation, and upper and lower case letters. 1234567 Repeating sequence. j@T”Pl4Ne Two words, separated by punctuation, using upper and lower case letters, and numeric substitution. abcabc Repeating sequence. M0ca5V@ca8 Two nonsense words, upper and lowercase letters, and punctuation. h311o Less than 8 characters, and based on a dictionary word with common letter/number substitutions. 5tg^YH%TG Simple pattern that doesn’t require memorization. Not based on a dictionary work, uses upper and lower case letters, and punctuation. test1234 Very common test or default password. *RUF8ruf Another pattern with appropriate characters. admin Very common default password. gandalf1 Based on the name of a popular character. john4 Based on the user’s name, too short, no upper case or punctuation. ydnic Still a proper name (even though it’s backwards), too short, no upper case, numbers, or punctuation. PORSCHE911 Proper name, in the dictionary, no lower case, or punctuation. Pepsi21 Product name with numbers at the end. May 1, 2006 Password Best Practices v1.5 Page 2 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
Other Password Factoids: It is important to tailor your password to your system: • Most UNIX systems will only use the first eight characters of a password. Check your particular operating system. • Oracle applications such as LETS only allow $, _, and # as special characters. • UNIX passwords are case sensitive, so “password” is not the same as “PASSWORD”. Conversely, VMS passwords are not case sensitive, so “password” and “PASSWORD” are the same. • Use Secure Shell (SSH) (see: www.openssh.org) to avoid sending your password over a network as clear text. SSH encrypts username and password information before sending it over a network. Anytime you type your password to log in to another computer using telnet, ftp, rlogin, etc., your password can be stolen. Crackers can break into networks and steal your password using tools that “listen” for passwords. • If you suspect your password has been stolen, cracked or compromised in any way, change it immediately. For more information on appropriate password use and Internet security, please contact Razorpoint Security Technologies, Inc. at (www.razorpointsecurity.com). May 1, 2006 Password Best Practices v1.5 Page 3 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.

Recommended

ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
NAWAZ KHAN
 
Password hacking
Password hackingPassword hacking
Password hacking
Mr. FM
 
Password hacking
Password hackingPassword hacking
Password hacking
Abhay pal
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
zeus7856
 
Password management for you
Password management for youPassword management for you
Password management for you
Chit Ko Ko Win
 
Linguistic Passphrase Cracking
Linguistic Passphrase CrackingLinguistic Passphrase Cracking
Linguistic Passphrase Cracking
Priyanka Aash
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
Razorpoint Security
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
Gloria Stoilova
 

Recommended

ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
NAWAZ KHAN
 
Password hacking
Password hackingPassword hacking
Password hacking
Mr. FM
 
Password hacking
Password hackingPassword hacking
Password hacking
Abhay pal
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
zeus7856
 
Password management for you
Password management for youPassword management for you
Password management for you
Chit Ko Ko Win
 
Linguistic Passphrase Cracking
Linguistic Passphrase CrackingLinguistic Passphrase Cracking
Linguistic Passphrase Cracking
Priyanka Aash
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
Razorpoint Security
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
Gloria Stoilova
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
Rare Input
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
Klaus Drosch
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
richarddxd
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
Alimasmali3
 
Password management
Password managementPassword management
Password management
Wilmington University
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.
Mike Barker
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
أحلام انصارى
 
Level 3 lsr tech solutions password
Level 3 lsr tech solutions passwordLevel 3 lsr tech solutions password
Level 3 lsr tech solutions password
joeblow1234
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable password
SafeSpaceOnline
 
Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwords
ahyaimie
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
STO STRATEGY
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Password management
Password managementPassword management
Password management
Karen F
 
Securing password
Securing passwordSecuring password
Securing password
splendorcollege
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
MohammedAlhamoodi
 
1636
16361636
1636
cvq
 
Protect Your Business With Web Security
Protect Your Business With Web SecurityProtect Your Business With Web Security
Protect Your Business With Web Security
Harrison Kenyon Marketing
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
Yury Chemerkin
 
Password Storage Explained
Password Storage ExplainedPassword Storage Explained
Password Storage Explained
jeetendra mandal
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

More Related Content

Similar to PASSWORD BEST PRACTICES

8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
richarddxd
 
Level 3 lsr tech solutions password
Level 3 lsr tech solutions passwordLevel 3 lsr tech solutions password
Level 3 lsr tech solutions password
joeblow1234
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
STO STRATEGY
 

Similar to PASSWORD BEST PRACTICES (20)

Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
Password management
Password managementPassword management
Password management
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Level 3 lsr tech solutions password
Level 3 lsr tech solutions passwordLevel 3 lsr tech solutions password
Level 3 lsr tech solutions password
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable password
 
Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwords
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Password management
Password managementPassword management
Password management
 
Securing password
Securing passwordSecuring password
Securing password
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
1636
16361636
1636
 
Protect Your Business With Web Security
Protect Your Business With Web SecurityProtect Your Business With Web Security
Protect Your Business With Web Security
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password Storage Explained
Password Storage ExplainedPassword Storage Explained
Password Storage Explained
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

PASSWORD BEST PRACTICES

  • 1. Author: Razorpoint Security Team Version: 1.5 Date of current version: 2006-05/01 Date of original version: 2001-04/04 Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved. Password Best Practices ™ [ WHITE PAPER ]
  • 2. Password Best Practices One of the most overlooked areas of network security is the use of “good” passwords. Extreme care should be taken in choosing your password. If your password is easy to guess, someone may be able to access or steal your data, your money, or your identity. To protect your data, your network, and yourself to some degree, you must select good passwords and secure them carefully. Users are responsible for assisting in the protection of the systems they use. As an Internet security measure, computer and network passwords should be changed regularly. Additionally, the use of different passwords for different systems is recommended so that if an intruder cracks one password and gets into one computer, that same password won’t automatically allow access to other systems. Choosing good passwords can be thought of as more art than science. Criminal hackers (a.k.a. Crackers) have tools that can break any password (or modified facsimile) found in a dictionary. Password guessing and dictionary attacks (cracking) are common ways of gaining unauthorized entry into networks, and even the best passwords can eventually be defeated mathematically, given enough time. The use of good passwords acts as a deterrent against password guessing and cracking attacks, and can make “brute force” attacks (see The Razorpoint Security Glossary) less successful. The following guidelines outline best practices when choosing, maintaining, and protecting your passwords: DO make sure your password is at least 8 characters long. DO use a password with mixed-case letters, numeric characters and punctuation (where supported by the operating system). Do not just capitalize the first letter, or add a number at the end. The more complex a password, the longer it will take to crack. DO use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your fingers while you type. This is known as “shoulder surfing.” (see The Razorpoint Security Glossary) DO change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows), the more frequently the password should be changed. This makes your password a “moving target” and makes cracking and brute force attacks less effective. Regular password changes can also stop continued access of an already compromised account. Change passwords at least every six months. DO try one of the following methods for password selection: Option 1: Explore using two words separated by a number or punctuation, like “Pro%F0otball” or “l|0n&dog” Option 2: Take a word and change the case on some of the letters. Then, either insert a letter or punctuation, or replace some letters with numbers or punctuation (but avoid common substitutions like a->4, I->1). Even better, use a combination of insert/replace: (Example: bomber -> b0mBer -> b0m&Ber -> %0m&Ber) Option 3: This may be the best option for creating a complex password without having to remember it. Start by choosing an area of the keyboard to use for your password. Next, decide on a pattern for the password. For example, take the upper-left quadrant of the keyboard and create two lines using 2ws3ed3e or, better yet, combine that sequence which shift characters to get 2ws#ED3e. With this method, you don’t have to memorize any passwords, you simply have to remember where the pattern starts on a keyboard. (note: It is a bad idea to use these exact examples as your password). ;^) DO NOT use the word “password” as your password, in any form (reversed, capitalized, or doubled). This is not a joke, people actually do this. DO NOT use a network login ID in any form (reversed, capitalized, or doubled) as a password. DO NOT use common names of people or places as a password. DO NOT use keys in a natural progression, like “QWERTY”, or “1234”, or “abcabc”, or “........” ™ May 1, 2006 Password Best Practices v1.5 Page 1 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
  • 3. DO NOT use a word (forward or reversed) contained in English or foreign dictionaries, spelling lists, or other word lists. These types of passwords are among the easiest to crack. On a moderately fast computer, it is possible to crack a dictionary word-based password in seconds. It is important to remember that generally a computer is doing the guessing, not a human. A computer can be programmed to search through any list of words and try any algorithmic variation. The ways in which users choose passwords are well known to the authors of password cracking programs. DO NOT use words that are acronyms, technology terms, geographical locations or product names (dictionaries for these exist, too). DO NOT use a password of all numbers or alphabetic characters. Mix numbers, letters and punctuation (where supported by the operating system). DO NOT use a password that is simply a word either preceded or followed (or both) by a non-alphabetical character. DO NOT use passwords that match a dictionary word with common “number-for-letter” substitutions. (Examples: a->2, a->4, b->8, e->3, h->4, I->1, l->1, o->0, s->$, s->2, s->5, z->5, etc. as in: airplane -> 4irpl4ne -> 41rpl4ne -> 41rpl4n3) DO NOT use passwords that are words with vowels deleted, or are made lowercase then reflected. (Example: mechanic -> mchnc, or Super -> superrepus). DO NOT use information easily obtained about you. This includes your first, middle or last name in any form, your initials or any nicknames you may have, spouse or children’s names or birth dates, pet names, license plate numbers, telephone numbers, ID numbers, the brand of your automobile (or the one you wish you had), the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user. DO NOT – repeat – DO NOT write passwords on sticky notes, desk blotters, calendars, or store it under your keyboard, under your phone, or online where it can be accessed by others. This is one of the most frequent ways unscrupulous users gain unauthorized access to computer systems. DO NOT use passwords that are so complicated they have to be written down. See above. DO NOT use passwords that you have used in the past. DO NOT share passwords except in true emergency circumstances or when there is an overriding operational necessity. Be sure to change your password immediately after sharing. In an emergency situation, be absolutely certain to whom you are giving your password, and how it will be used. Getting someone to reveal a password by deceit or lying is called “Social Engineering” (see The Razorpoint Security Glossary) and can be very effective in gaining unauthorized access to computer systems. Under normal circumstances a password should never be shared, but if it is, change it immediately after usage. Password Examples Bad Passwords Description Good Passwords Description mypassword Two dictionary words together. T*x4$M8n 8 characters, uses numbers, punctuation, and upper and lower case letters. 1234567 Repeating sequence. j@T”Pl4Ne Two words, separated by punctuation, using upper and lower case letters, and numeric substitution. abcabc Repeating sequence. M0ca5V@ca8 Two nonsense words, upper and lowercase letters, and punctuation. h311o Less than 8 characters, and based on a dictionary word with common letter/number substitutions. 5tg^YH%TG Simple pattern that doesn’t require memorization. Not based on a dictionary work, uses upper and lower case letters, and punctuation. test1234 Very common test or default password. *RUF8ruf Another pattern with appropriate characters. admin Very common default password. gandalf1 Based on the name of a popular character. john4 Based on the user’s name, too short, no upper case or punctuation. ydnic Still a proper name (even though it’s backwards), too short, no upper case, numbers, or punctuation. PORSCHE911 Proper name, in the dictionary, no lower case, or punctuation. Pepsi21 Product name with numbers at the end. May 1, 2006 Password Best Practices v1.5 Page 2 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
  • 4. Other Password Factoids: It is important to tailor your password to your system: • Most UNIX systems will only use the first eight characters of a password. Check your particular operating system. • Oracle applications such as LETS only allow $, _, and # as special characters. • UNIX passwords are case sensitive, so “password” is not the same as “PASSWORD”. Conversely, VMS passwords are not case sensitive, so “password” and “PASSWORD” are the same. • Use Secure Shell (SSH) (see: www.openssh.org) to avoid sending your password over a network as clear text. SSH encrypts username and password information before sending it over a network. Anytime you type your password to log in to another computer using telnet, ftp, rlogin, etc., your password can be stolen. Crackers can break into networks and steal your password using tools that “listen” for passwords. • If you suspect your password has been stolen, cracked or compromised in any way, change it immediately. For more information on appropriate password use and Internet security, please contact Razorpoint Security Technologies, Inc. at (www.razorpointsecurity.com). May 1, 2006 Password Best Practices v1.5 Page 3 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.