Go to INFN Milano Homepage Istituto Nazionale di Fisica Nucleare - Sezione di Milano
About us Research
Services Utilities
Boards Events

Some notes about passwords

From experience, a significant number of computer breakins (perhaps the majority) can be traced back to a poorly-chosen password. In most of the cases, passwords are the first weakness tried by an attacker.

The password is the most vital part of account security. If an attacker can discover a user's password, he or she can then log in to the system and operate with all the capabilities of that user. Such an attack is usually hard to detect and can last for months.

Why should I care?

The answer is easy.

You should care because if someone uses your account to do bad things you might have no means to prove that it was not you. It's like letting anyone drive your car, you would then be responsible for all the fines...

What is a good password?

A good password is:

  • private: it is used and known by one person only
  • secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the terminal
  • easily remembered: so there is no need to write it down
  • not guessable by any program in a reasonable time, for instance less than one week.

Although this seems quite restrictive, it's easy to pick good passwords.

How can I choose a good password?

The programs that try to guess passwords (or the attacker of a machine) do not try all existing passwords, they only try a large number of "frequently used" passwords. So if you stay out of this search space you are safe; to do so you can follow the following guidelines:

First, here is what you should not do:

  • don't use your login name in any form (as-is, reversed, capitalised, doubled, with a prefix, with a suffix...).
  • don't use in any form your first or last name and, more generally, any information easily obtained about you. This includes car license plate numbers, telephone numbers, social security numbers, the brand of your car, the name of the street you live on, the name of your spouse or of your children...
  • don't use a word contained in any dictionary of any language, spelling lists, or other lists of words (acronyms, sequences of letters like 'abcdef' or 'qwerty', place names, car names, cartoon heroes...).
  • don't use a password shorter than six characters or with only alphabetic characters or only digits.

Then, here is what you should do:

  • do use a password with mixed-case alphabetics, digits, punctuation.
  • do use long passwords (with more than 6 characters).

Finally, here are some methods of making passwords:

  • Choose a line or two from a song or poem, and use the first letter of each word. For example, `In Xanadu did Kubla Kahn a stately pleasure dome decree' becomes `IXdKKaspdd'.
  • Alternate between one consonant and one or two vowels, up to eight characters, do use mixed-case. This provides nonsense words that are usually pronounceable, and thus easily remembered (ex: `roUtboo', `quADpop', and so on.).
  • Choose two short words (or a big one that you split) and concatenate them together with one or more punctuation characters between them (or digits if you can only use alphanumeric characters). For example: `dog+F18' or `comP77UTer'. Note that `dog', `F18' or `computer' are in dictionaries but as the passwords use punctuation or digit, mixed-case characters, they are really hard to guess.

Please note that if you use mixed-case characters, do not use the following methods (they are tried by most cracking programs):

  • only the first or the last character in uppercase
  • only vowels in uppercase
  • only consonants in uppercase.

Also, don't append or prepend a character to a word from a dictionary (for instance `7tables' or `secret!') or use simple substitutions like o==>0 or s==>$ (for instance `sn00py' or even `$n00py'), most cracking programs will also try these...

Why should I change my "good" password?

Even if you choose a good password, it can still be discovered: someone may see you typing it, he may capture it by snooping the network... One can also setup a fake machine or terminal and record all the passwords it sees. Another commonly used source of passwords is the "invalid login" file, some people do not pay attention and type the password instead of the user name, the log file then contains lines like:

joe      ttyp9        Wed Apr 28 09:37
XSecret! pty/ttys0    Fri Feb 26 15:15 - 15:16  (00:00)
fred     pty/ttys0    Fri Feb 26 15:16 - 14:27 (87+22:11)

For all these reasons it is wise to change your passwords from time to time, a minimum frequency is twice a year.

Can I use the same "good" password for all my accounts?

This is delicate to answer. The underlying problem is that if someone finds your password for one account (see previous section) he then may be able to use other accounts on other machines with the same password.

One thing is clear: you should not use trivial rules to generate your passwords. For instance if you've got several accounts on the machines hplhc01, hplhc06... and the passwords are `seXret01', `seXret06'..., this is clearly inefficient. An attacker can easily deduce the passwords you used and the length of the fixed part of the password (in this example `seXret') is reduced, this implies that you will have less choices to find new passwords.

On the other hand, if an attacker broke into one of your accounts, he has several possibilities to break into other accounts: he can use the autologin facilities (`.rhosts' on UNIX), he can ruin your X security and then grab the passwords you type (see next chapter), he can install a fake telnet program to capture your passwords the next time you use it...

So, in our opinion, the best thing is to have different passwords for all your accounts with no obvious similarities. If you can't (for instance because you have too many accounts), it's acceptable to have the same password if it's a really good one and if you change it often (for instance once per month).

This page is a slightly modified version of Lionel Cons's security handbook at CERN. Duplication was authorized by the author.

Last update: Thursday February 07, 2002 (12:24)
Home | Search | Privacy | Site map | Disclaimer