Password Security: The Main Vein

Monday, July 02, 2012

Ahmed Saleh


What are Passwords

Passwords are unique strings of characters that users provide in conjunction with a User ID, to gain access to an information resource. Passwords are critical in ensuring privacy and security on the computers you use every day, whether at home or at work.

People use passwords to access various resources. These resources include but not limited to: access to personal computers, applications, networks, internet services: Hotmail, Gmail, Facebook, etc... User IDs and passwords are used to authenticate users to a particular resource and sometimes are used to track user activity while using that resource.

Your passwords should be treated as "high sensitive information", and you are responsible for taking the appropriate steps to select and secure this information.

General Password Guidelines

Information system users should be aware of the characteristics of weak and strong passwords in order to ensure adequate protection of their information. If someone obtains your User ID and password, that individual can imitate or impersonate you, and the system will not detect any anomaly.

Identity theft, credit card compromise, loss or inappropriate use of your webmail or your social networking account could happen as a result of poor password management.

Poor passwords have any of the following characteristics:

  • Less than eight characters.
  • A word found in a dictionary.
  • Match or includes your username
  • A common usage word such as:
    • Names of family members, friends, co-workers, sports teams, movies.
    • Computer terms and names, sites, companies, hardware, software.
    • Word, number or keyboard patterns like "aaabbb," "qwerty," "123321"
  • Consist of repetitive patterns such as " ahmahm", "passpass"
  • Any of the above cases preceded or followed by a digits (i.e. "qwerty123", "111aaabbb")
  • Consist of all same characters or digits, or other commonly used or easily guessed formats.

Strong passwords have at least three of the following characteristics:

  • 8 or more characters long; (I personally recommend 10 characters)
  • Contain both upper and lower case letters.
  • Include digits and special characters as well as letters. (special characters: ()*&$#@ )
  • Should not be word in any language.
  • Should not be based on personal information, names of family, hobbies…etc.

One of the best practices in creating a password is to utilize the first letters found in each word of a well remembered sentence. For example "I spend more than seven hours online per day" the password would be: i5Mt7H0pD (notice the 5 instead of the s and the 0 instead of the o).

Security Tip: refrain from writing down the password. Instead, you should create passwords that you do remember. A good password is easy to be remembered yet hard to be guessed.

Password Protection

Handle your username and password with as much care as your credit card. Do not use the same password for all your online services and activities: i.e. Facebook password ≠ twitter Password ≠ hotmail password ≠ Gmail Password ≠ Online Banking password, especially if these services depend on each other to perform password recovery (forgotten or stolen passwords).

The following is a list of things that you should abide by to protect your password:

  1. Don't reveal your password to anyone.(Not even individuals who claim to be from support)
  2. Don't reveal your password in an email message.
  3. Don't talk about your password in front of others.
  4. Don't hint at the format of a password (i.e. "my family name").
  5. Don't reveal your password on questionnaires or security forms.
  6. Don't share your password with family members.
  7. Don't reveal your password to your friends.
  8. Don't leave your written password anywhere accessible by other people.
  9. Use a well known updated antivirus to insure that your system is not infected by any "password capturing malicious application". (Virus, worm, Keylogger etc...)
  10. Although systems and application hide the password characters you type from your screen display, you are responsible to insure that no one is watching while you type that password on your keyboard.

Changing Passwords

Passwords should be changed on regular basis, some systems remind users that they should change their password; other systems expire your password validity and force you to change it.

But you should keep in mind, when changing your current password; you should not use a previously utilized password even if it has the characteristics of a strong password.

If a password has been compromised or forgotten, the user may obtain a new password or have their password reset by utilizing the "forgot password" option. This option is usually found within the login area on WebPages. This process saves the day by sending reset instructions to preset Recovery emails, or Mobile phones via SMS messages.

Finally: If at any time, you suspect that your password has been compromised, change it immediately. Better safe than sorry!!

Cross-posted from Information Security Illustrated

Possibly Related Articles:
Network Access Control
Information Security
Passwords Authentication Security Awareness Access Control Best Practices Guidelines End Users online safety
Post Rating I Like this!
Maureen Robinson Very valuable and practical tips for a very frequent problem. In addition to what you said, here is an article which explains how passwords are encrypted and which are the mechanics of a good password:
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.