A Guide to Passwords and Password Security
What is a password, exactly?
A password is a string of characters you give to verify that you're you when you log in to a computer system. On most systems, a password is between 6 and 8 characters long. You can use upper-case and lower-case letters, numbers, and symbols in your password. One caveat: don't use the at sign (@) or the hash sign (#) in your password. These two characters have special meanings on some UNIX systems.
What is password security?
Password security mainly consists of 5 things:
- Don't tell anyone your password.
- Don't write your password down anywhere.
- When you decide on a password, make sure it can't be guessed.
- If you think there's even a chance someone else might know your password, change it.
- Make sure no one is standing near you when you enter your password
Why is password security important?
There are people out there (henceforth known as Evil Crackers) who will attempt to find out, or crack , your password. Once they get your password, they can do awful things to any information stored in your account. Even worse, they may be able to do awful things to the accounts of other people on the system, or even break in to systems across the world from ours. So the argument, "I don't need a good password, I don't have anything in my account, anyway" doesn't work. System security is everyone's responsibility.
Why can't I tell anyone my password?
Because you don't know where the information will go after it leaves your lips. Even if you only tell one other person, they could tell one other person, and so on, until your password is in the hands of an Evil Cracker. Besides, why do you want to tell someone your password, anyway? On most UNIX systems you're not supposed to share your account with someone else. So there would be no legitimate reason for them to use your password.
Why can't I write down my password?
Again, because you don't know where the information will go after it leaves your brain. A password written on a piece of paper is simply too easy to lose. And someone might be watching the next time you take out that piece of paper to log in. Better to just remember it.
How can I tell if my password can be guessed?
First, you have to know how Evil Crackers guess passwords.
Your password is stored on the system in encrypted form. It has been run through an encryption math algorithm. There is no algorithm that will take a password in encrypted form and give back the original password. So not even the sysadmin knows your password. So Evil Crackers can't find out your password just by asking the system.
Instead, they use a program called Crack to breach password security. The Crack program works by taking strings of characters and encrypting them, then comparing the encrypted text against your password in encrypted form. If the two encrypted versions are the same, then the string of characters is your password.
It would take way too long to simply try every combination of letters you could have as your password -- over 100,000 years on a reasonably fast machine. So Crack tries the most likely combinations. First, it starts with everything it can find out about you on the system, like your login name, your full name, your address, your social security number, etc. Trying all of these takes a few seconds.
Then it moves on to a huge "dictionary" containing words from all languages, place names, people names, names of characters in books, jargon, slang, and acronyms. It tries all of them as your password. This takes several minutes. After Crack is done with that, it tries variations on those words, such as:
- any word, written backwards
- any word, with a punctuation character at the end
- any word, with a punctuation character at the beginning
- any word, with a punctuation character in the 3rd character place
- any word, replacing all t's with 3's
- any word, capitalized
- any two words, put together with a number between them
and so on. It tries every combination you can imagine. So since you don't want Evil Crackers to crack your password, never use any password based on a word .
First you tell me I can't write passwords down. Now you tell me I can't use passwords based on words. How am I ever going to make a password that I can remember?
There are tricks to creating a good password that can't be guessed, yet can be remembered. Here's one of the tricks: take a phrase you like and will remember. Now use the first letter of each word. Add any appropriate capitalizations, punctuation, and other character manipulations. For example:
three blind mice, see how they run
would end up as
But don't use this one now that I've given it as an example.