August 29, 2007

Is Your Information Safe From Intruders? The Do’s and Don’t’s of Password Security

It might feel like a pain to change your “memorized” password; however systems know the difference between pain and security – especially those that have been compromised due to a complicated or unsophisticated hacking attack.

Albeit most folks are not fond of being accountable for ensuring system security, all users of information resources are responsible for assisting in the protection of the systems they use.

Many intruders enter systems simply by guessing passwords. Even the best passwords can eventually be defeated mathematically, given enough time. The use of strong passwords acts as a firm deterrent against password guessing and buys additional time against other attacks.

DO use a password with mixed-case letters. Use uppercase letters throughout the password. DO NOT use a network login ID in any form (reversed, capitalized, or doubled as a password).
DO use a password that contains alphanumeric characters and include punctuation, where supported by the operating system. DO NOT use your first, middle or last name or anyone else’s in any form. Do not use your initials or any nicknames you may have or anyone else’s.
DO use a password with mixed-case letters. Do not just capitalize the first letter, but add uppercase letters throughout the password. DO NOT use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations.
DO use at least six characters, eight characters for Windows NT. DO NOT use other information easily obtained about you. This includes pet names, license plate numbers, telephone numbers, identification numbers, the name of the street you live on, and so on. Someone who knows the user very easily guesses such passwords.
DO use a seemingly random selection of letters and numbers. DO NOT use a password of all numbers, or a password composed of alphabet characters. Mix numbers and letters.
DO use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard (also known as "shoulder surfing"). DO NOT use dates e.g., September, SEPT1999 or any combination thereof.

DO change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows NT), the more frequently the password should be changed. This change stops someone who has already compromised an account from continued access.

DO NOT use keyboard sequences, e.g., qwerty.