How to Frustrate Password Crackers: 8 Tips
Some time ago, I was one of the most prolific contributors to
one of the most popular newsgroups on Usenet. The newsgroup's
purpose was to provide fraudulently-obtained, but valid,
passwords for websites.
The process there is fairly straightforward: someone posts the
web site address of a site that they want (free and illegal)
access to. Several group members with colorful nicknames then
"run" the site. If a valid username/password is found, it is
emailed to the requestor, who in turn publicly heaps praise on
the grantor, thus inflating his or her ego. My colorful nickname
was "PassBandit".
Here are some tips to ensure that your account is not the weak
account that the other "PassBandit"s of the world compromise:
1. The password is more important than the username. Do not
assume that because you have an unusual username (including
e-mail addresses), you can choose a simple password.
2. Make your reminder question tough and unique -- something
such as "What was my first pet's name?".
3. Do not use your username as the password. Similarly, do not
use a password that "fits" with the username. The may be cute,
clever, and easy to remember, but username:password combinations
such as intel:inside, moody:blues, hewlett:packard, or
foghorn:leghorn will be compromised very quickly.
4. Make every password AT LEAST 6 characters long.
5. Use a mix of upper- and lowercase letters, and numbers --
and, if allowed, include symbols, i.e., "Hammer*shreW" or
"booKbuicK-720". The more variety your password contains, the
less likely that it will be guessed.
6. Do not use a single word as your entire password. At several
hundred guesses per second, my software could (and often did) go
through entire unabridged dictionary files, many megabytes in
size, and in several languages in no time. Combine two unrelated
words, such as bookbuick or hammershrew.
7. Change your password frequently if the site gives you that
option.
8. Do not use the same username/password combination at multiple
sites.
I've grown out of "PassBandit", and it no longer holds a thrill
for me. Instead, I've hopped the fence and teach loss prevention
topics. But there are thousands of "PassBandit"s out there
looking to get your into your website stash. Don't make it easy
for them.