Basic security with passwords

The password. It really gives you power doesn’t it? You’re the only one that has the “key” to the workstation or something else that has to be kept away from prying eyes. If you’re using a password than there must be something worth protecting, so why not make this protection a good one?

Choosing a good password

There are two ways to choose a password. You can either use a password generation utility or you can make a password by yourself. If you’re going to do it by yourself than there are several things you have to keep in mind.

Some of the things you should not use include: your name (as well as names of family members, friends, etc.), phone number, address, nickname, computer name, words from a dictionary, name of the company you work for, etc. The idea is to basically not use any kind of information that may be linked with you directly.

A good password includes the following: upper-case and lower-case letters mixed together with special characters, and is at least six characters long. Also, never repeat the same character within a password. Example of a good password: y_R6t*n!b

Using a password generator and safekeeping

A random password generator utility is a wise choice when making hard-to-crack passwords. Also, when you generate a good password, it will be pretty hard to remember so a password manager is a good thing to use. There are many software titles that do this job and two of them are presented below – one for Linux and one for Windows.

Figaro’s Password Manager[ Download ]

Figaro’s Password Manager is a GNOME application that allows you to securely store your passwords which are encrypted with the blowfish algorithm. If the password is for a website, FPM can keep track of the URLs of your login screens and can automatically launch your browser. In this capacity, FPM acts as a kind of bookmark manager. The program is extremely easy to use and is open source free software.

Included with the program comes a nifty password generator, here’s how it looks:

myPasswords Professional[ Download ]

myPasswords Professional is a password manager for Windows that uses Blowfish encryption to ensure your information is safe. It can export your databases to Microsoft Excel worksheets, HTML, text, and CSV files. It can import your existing Critical Mass and myPasswords databases and your sensitive information can be masked. The program is very configurable and it’s interface is simple which makes accessing information fast and easy. After a swift installation I doubt you’ll have any problems getting around the program, if you do – there’s a good help file to learn from.

Also included with the program comes a random password generator that makes your password creation extremely easy.

Password restrictions

To make users create strong passwords, and in that way improve the security of a system, it’s a good idea to define the type of password that can be created. There are several ways to do this:

  • make them use a password generator
  • setup some guidelines like how much the password has to be long, what characters have to be used, etc.
  • check the integrity of existing passwords with a cracking program and alert users with a weak password.

There are various cracking programs that you can use, some of them are:

It’s wise to change the password frequently as well as avoiding having people look at you when you type your password. There’s never enough paranoia when it comes to protecting your data.

Default passwords

Many applications, that need identification in order to be used, have a default password. Although this password may be easy to remember, you should change it as soon as possible. Lists of default passwords can be found all over the net and that’s probably one of the first things an attacker is going to try using. The same thing applies for any situation when a password is assigned to you, login and change it, right away.

An example of a list of default passwords can be found here.

For much more information on passwords and other methods of authentication, I recommend reading the excellent Authentication: From Passwords to Public Keys by Richard Smith.

As it says on the Addison-Wesley book page:

“[This book] gives readers a clear understanding of what an organization needs to reliably identify its users and how different techniques for verifying identity are executed.”

And, to close this article, here are two interesting articles you might be interested in: