Difference between revisions of "Runsafe:Safeguard Passwords"
Jump to navigation
Jump to search
m |
|||
| Line 1: | Line 1: | ||
| + | __NOTOC__ | ||
{{runsafe nav}} | {{runsafe nav}} | ||
| + | ==Safeguard Passwords== | ||
| + | Safeguard your identity and password. | ||
| + | |||
| + | Some services and data we access through our computer are private or sensitive. Nobody should access our email, class schedules, budget, research data, or grades but us. Access to those services are authorized based on our identity and our password is proof of our identity. | ||
| + | |||
| + | ==Choose a Strong Password== | ||
| + | |||
| + | Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren't careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination: | ||
| + | |||
| + | #It can't be obvious. That is, it can't exist in an attack dictionary. | ||
| + | #*Every word in an English language dictionary can be tried in minutes. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. You also don't want the password to have any personal significance to you...your dog's name for example. Using a dictionary word for a password is like using a locker number for a combination. | ||
| + | #It can't be a short | ||
| + | #*A combination lock with a two number combination wouldn't protect very well. Anything less than an eight character password is like having a such a combination. It simply won't hold up for long. | ||
| + | #It can't be made up of just a few characters | ||
| + | #*A combination lock with only ten numbers on the dial isn't as effective as one with fifty. Using just lower case letters is like limiting a combination lock to ten numbers. On systems that support them, passwords should contain at least one of each of the following characters: | ||
| + | #**Uppercase letters ( A-Z ) | ||
| + | #**Lowercase letters ( a-z ) | ||
| + | #**Numbers ( 0-9 ) | ||
| + | #**Punctuation marks ( !@#$%^&*()_+=- ) etc. | ||
| + | |||
| + | Different systems have different capabilities. Some will not let you use all the strength features mentioned here. When you get an account or change your password on a system, you should be given instructions on any limitations. | ||
| + | |||
| + | How, you may ask, am I ever going to remember such a complicated password? | ||
| + | |||
| + | *Pick a sentence that reminds you of the password. For example: | ||
| + | **if my car makes it through 2 semesters, I'll be lucky (imcmit2s,Ibl) | ||
| + | **only Bill Gates could afford this $70.00 textbook (oBGcat$7t) | ||
| + | **What time is my accounting class in Showker 240? (WtimaciS2?) | ||
| + | *If you absolutely have to, record it in a secure location. It's probably safer to store a strong password in a place where someone would have to physically break in than to expose a weak password to 600 million people on the Internet. | ||
| + | |||
| + | Accounts that are not accessible from the network, or that can be disabled if too many unsuccessful attempts are detected, are not as susceptible to high-speed guessing attacks. However, some systems have network accessible accounts you may not know about. Passwords for Windows NT, 2000, and XP Professional Administrator accounts and accounts included in the Administrator, Backup Operator, and Server Operator groups must be as strong as possible as these accounts have full, remote access to the entire file system through hidden shares. | ||
| + | |||
| + | ==Safeguard Your Strong Password== | ||
| + | |||
| + | *Do not type your password into untrusted, unknown, or public computers. Does the computer have anti-virus protection enabled? Is the owner trustworthy or are they perhaps running a keyboard logger recording your keystrokes? (it has happened) Who was the last person to use it and what did they run on it? | ||
| + | *Be careful about typing your password into a strange program, web site, or server. Why do they need it? Are they authorized to ask for it? A web site on the other side of the country should definitely not be asking for your JMU username and password. When you type your password into a web or file server, the administrator of that server has access to it. Who do you trust with your password? Is this an official NCSU resource asking for your NCSU password? In particular, third party web email providers are not authorized to ask for your NCSU email password. | ||
| + | *Use software that encrypts your password when it is sent over the network whenever possible. | ||
| + | **Replace telnet use with SSH. | ||
| + | **Select strong encryption options in other clients that support it. | ||
| + | **Make sure any web site requiring a password is protected by SSL. Look for the lock icon on the browser and the address to start with https: | ||
| + | *Do not use the same password for a risky or casual service that you use for a more secure or critical service. | ||
| + | **Do not use the same passwords on your Windows 95/98 shares that you use to protect more critical services. There is no limit on password guessing and no delays between retries on Windows 9x shares. This could jeopardize your more critical service if the passwords are synchronized. | ||
| + | **Do not use the same password on an unofficial, entertainment, off-campus, OR uncritical service that you use for more critical services. | ||
| + | *Be careful not to type your password into the wrong field. For example, the username field. Doing so will generally result in your clear text password being recorded in a system log. | ||
| + | *Pay attention to warnings from your browser or SSH client about problems with certificates or host keys. | ||
| + | *Follow wireless usage and setup best practices. | ||
| + | |||
| + | ==Replace Your Strong Password When It Wears Out== | ||
| + | |||
| + | One of the most unpopular security recommendations, after choosing hard to remember passwords, is the one that asks us to throw away those passwords after we finally get to the point where we can remember them. | ||
| + | |||
| + | If our ATM card gets stolen we know it. If our keys get stolen, we'll probably miss them before someone manages to copy and return them. Unlike keys or ATM cards, passwords don't have to be physically taken to be copied or used and it is unlikely we'll know they've been compromised. Once they're compromised, they can be transferred all over the world in the blink of an eye. Until someone uses the password, we won't know it. Most of us won't even know it even when they're used unless some fairly drastic action is taken with our account(s). | ||
| + | |||
| + | While our passwords are usually protected with cryptography and are often inaccessible, there are circumstances, sometimes beyond our control, when they are available either over the network or on a system. | ||
| + | |||
| + | Even when protected with cryptography, we're gambling somewhat if the password is accessible. While it may take 100,000 years to do an exhaustive search through all the possible combinations using the latest encryption scheme there are some practical points to remember: | ||
| + | |||
| + | *If we don't follow the rules about strong passwords, modern tools and methods will likely crack it in very little time. Passwords that exist in dictionaries used for attack lookups are often cracked in hours and sometimes in as little as seconds. The tools are programmed to try the things that experience has shown people pick for their passwords. | ||
| + | *Even if we choose a strong password forcing the tool to do an exhaustive search of all possible combinations, perhaps even 10100 of them, it is not impossible that a random guess will get it right on the first try, or in the first hour, or the first day. | ||
| + | *Computers don't get tired of trying. If someone has our encrypted password in hand, or if they can continually try logging in to our system without locking the account, they can sleep while their computer continues to chug along making guess after guess. | ||
| + | *People make mistakes. They sometimes type their password on the wrong computer, the wrong screen, or the wrong program. Administrators make mistakes. Security folks make mistakes. Everybody makes mistakes. All it takes is once. | ||
| + | *Software is not perfect. Some programs don't use the latest cryptographic protection. Some use none at all. | ||
| + | *Networks are not perfect. Some systems are more secure than others. Passwords get reused and/or passed around. | ||
| + | |||
| + | Lots of things can result in the compromise of a password. If that password protects a lot of things or if it protects things that are important, isn't it worth the trouble to rejuvenate it once in a while by changing it? | ||
Revision as of 11:39, 17 March 2006
Safeguard Passwords
Safeguard your identity and password.
Some services and data we access through our computer are private or sensitive. Nobody should access our email, class schedules, budget, research data, or grades but us. Access to those services are authorized based on our identity and our password is proof of our identity.
Choose a Strong Password
Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren't careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination:
- It can't be obvious. That is, it can't exist in an attack dictionary.
- Every word in an English language dictionary can be tried in minutes. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. You also don't want the password to have any personal significance to you...your dog's name for example. Using a dictionary word for a password is like using a locker number for a combination.
- It can't be a short
- A combination lock with a two number combination wouldn't protect very well. Anything less than an eight character password is like having a such a combination. It simply won't hold up for long.
- It can't be made up of just a few characters
- A combination lock with only ten numbers on the dial isn't as effective as one with fifty. Using just lower case letters is like limiting a combination lock to ten numbers. On systems that support them, passwords should contain at least one of each of the following characters:
- Uppercase letters ( A-Z )
- Lowercase letters ( a-z )
- Numbers ( 0-9 )
- Punctuation marks ( !@#$%^&*()_+=- ) etc.
- A combination lock with only ten numbers on the dial isn't as effective as one with fifty. Using just lower case letters is like limiting a combination lock to ten numbers. On systems that support them, passwords should contain at least one of each of the following characters:
Different systems have different capabilities. Some will not let you use all the strength features mentioned here. When you get an account or change your password on a system, you should be given instructions on any limitations.
How, you may ask, am I ever going to remember such a complicated password?
- Pick a sentence that reminds you of the password. For example:
- if my car makes it through 2 semesters, I'll be lucky (imcmit2s,Ibl)
- only Bill Gates could afford this $70.00 textbook (oBGcat$7t)
- What time is my accounting class in Showker 240? (WtimaciS2?)
- If you absolutely have to, record it in a secure location. It's probably safer to store a strong password in a place where someone would have to physically break in than to expose a weak password to 600 million people on the Internet.
Accounts that are not accessible from the network, or that can be disabled if too many unsuccessful attempts are detected, are not as susceptible to high-speed guessing attacks. However, some systems have network accessible accounts you may not know about. Passwords for Windows NT, 2000, and XP Professional Administrator accounts and accounts included in the Administrator, Backup Operator, and Server Operator groups must be as strong as possible as these accounts have full, remote access to the entire file system through hidden shares.
Safeguard Your Strong Password
- Do not type your password into untrusted, unknown, or public computers. Does the computer have anti-virus protection enabled? Is the owner trustworthy or are they perhaps running a keyboard logger recording your keystrokes? (it has happened) Who was the last person to use it and what did they run on it?
- Be careful about typing your password into a strange program, web site, or server. Why do they need it? Are they authorized to ask for it? A web site on the other side of the country should definitely not be asking for your JMU username and password. When you type your password into a web or file server, the administrator of that server has access to it. Who do you trust with your password? Is this an official NCSU resource asking for your NCSU password? In particular, third party web email providers are not authorized to ask for your NCSU email password.
- Use software that encrypts your password when it is sent over the network whenever possible.
- Replace telnet use with SSH.
- Select strong encryption options in other clients that support it.
- Make sure any web site requiring a password is protected by SSL. Look for the lock icon on the browser and the address to start with https:
- Do not use the same password for a risky or casual service that you use for a more secure or critical service.
- Do not use the same passwords on your Windows 95/98 shares that you use to protect more critical services. There is no limit on password guessing and no delays between retries on Windows 9x shares. This could jeopardize your more critical service if the passwords are synchronized.
- Do not use the same password on an unofficial, entertainment, off-campus, OR uncritical service that you use for more critical services.
- Be careful not to type your password into the wrong field. For example, the username field. Doing so will generally result in your clear text password being recorded in a system log.
- Pay attention to warnings from your browser or SSH client about problems with certificates or host keys.
- Follow wireless usage and setup best practices.
Replace Your Strong Password When It Wears Out
One of the most unpopular security recommendations, after choosing hard to remember passwords, is the one that asks us to throw away those passwords after we finally get to the point where we can remember them.
If our ATM card gets stolen we know it. If our keys get stolen, we'll probably miss them before someone manages to copy and return them. Unlike keys or ATM cards, passwords don't have to be physically taken to be copied or used and it is unlikely we'll know they've been compromised. Once they're compromised, they can be transferred all over the world in the blink of an eye. Until someone uses the password, we won't know it. Most of us won't even know it even when they're used unless some fairly drastic action is taken with our account(s).
While our passwords are usually protected with cryptography and are often inaccessible, there are circumstances, sometimes beyond our control, when they are available either over the network or on a system.
Even when protected with cryptography, we're gambling somewhat if the password is accessible. While it may take 100,000 years to do an exhaustive search through all the possible combinations using the latest encryption scheme there are some practical points to remember:
- If we don't follow the rules about strong passwords, modern tools and methods will likely crack it in very little time. Passwords that exist in dictionaries used for attack lookups are often cracked in hours and sometimes in as little as seconds. The tools are programmed to try the things that experience has shown people pick for their passwords.
- Even if we choose a strong password forcing the tool to do an exhaustive search of all possible combinations, perhaps even 10100 of them, it is not impossible that a random guess will get it right on the first try, or in the first hour, or the first day.
- Computers don't get tired of trying. If someone has our encrypted password in hand, or if they can continually try logging in to our system without locking the account, they can sleep while their computer continues to chug along making guess after guess.
- People make mistakes. They sometimes type their password on the wrong computer, the wrong screen, or the wrong program. Administrators make mistakes. Security folks make mistakes. Everybody makes mistakes. All it takes is once.
- Software is not perfect. Some programs don't use the latest cryptographic protection. Some use none at all.
- Networks are not perfect. Some systems are more secure than others. Passwords get reused and/or passed around.
Lots of things can result in the compromise of a password. If that password protects a lot of things or if it protects things that are important, isn't it worth the trouble to rejuvenate it once in a while by changing it?