Avoiding password theft

To access an online computer service or Internet service provider (ISP) one needs both a user name and password. ISPs typically select a user name that is the same as the last name of the subscriber. This means that user names are easy to guess, therefore one must be especially careful with the password.

Select a good password:
Make the length of your password at least five characters. It is too easy for automatic programs to sequentially try all combinations of characters in a password of only 1, 2, 3, or 4 characters.

In short passwords, use at least one upper-case letter, at least one lower-case letter, and at least one digit, for example, c5U3rN
A five-character password composed of only random lower-case letters has about 8×106 possible combinations, but a five-character password composed of both upper- and lower-case letters and the ten digits, all chosen randomly, has about 776×106 possible combinations, i.e., about one hundred times harder to guess.

To make a long password, use a concatenation of two words, each with at least five characters, perhaps separated by one digit (e.g., airplane5style). By having a longer password, it is no longer as desirable to include a mix of upper- and lower-case letters and digits.

Avoid obvious passwords e.g.,
your name,
anyone’s first name (especially bad are your spouse’s first name, your child’s first name, your dog’s or cat’s name)
your nickname (e.g., “Flash” or “Buzz”),
your home telephone number,
your date of birth,
your astrological sign,
your mother’s maiden name,
your wife’s maiden name,
license plate number of your car,
exact sequences of letters on a keyboard (e.g., QWERTY or ASDFGH)
sequences from the alphabet (e.g., ABCDEFG or ABCABC)
or any other publicly available information.
Also avoid any of the above spelled backwards, and any of the above either preceded or followed by a single digit.

There are about 8×106 possible combinations of a string of five lower-case letters that are chosen randomly. In comparison, there are only about 0.15×106 entries in an English dictionary for college students’ desks. Therefore, it would make sense for a hacker to use a word list from a spelling checker, instead of generating permutations of characters. In response, you should make the hacker work harder by choosing a password that is not in the dictionary of your local language.

For a given number of characters, the strongest password is a random sequence of lower- and upper-case letters and digits. However, such a password can be difficult to remember. My suggestion is to choose a unusual foreign word that does not appear in the dictionary of your local language. If you are tempted to use foreign characters (e.g., ö, é) in the password on a computer in the USA, first ask the system operator if those characters are allowed in a valid password on the system, as most operating systems in the USA are limited to using only the first 128 characters in the ASCII set (i.e., no foreign characters).

Of course, you don’t need to limit yourself to official languages. You can invent your own words, e.g., garkle6snerkle. Such words are much easier to remember than unpronounceable clusters of characters, e.g., c5U3rN.

Having chosen a good password, do not write it down, and do not tell anyone what it is. (Get a separate account for your spouse, each of your children, each of your co-workers, …. so that no one shares passwords.) This rule can create a problem if you die or are incapacitated, so perhaps you should write it down once: on a sheet of paper that you keep in a bank’s safe deposit box (for your personal account) or in a safe in the corporate office (for the company’s computer).

When you get a new computer account, it will come with an initial password, which password was probably randomly chosen. Follow the instructions from the system administrator for choosing your own password, and change the password. The initial password may have been seen by someone who gave or mailed it to you.

Use a different password at each website, service provider, or computer account.

Changing your password every few weeks is standard advice from computer security experts. However, changing your password every few weeks also makes it easier for you to forget your password. You need to decide if it is worth the bother of changing passwords every few weeks. If you do forget your password, you will need to contact a system administrator, prove that you really are the official user, and get a new initial password assigned.

Many users store their user name and password in a logon script on their hard disk in various programs: e-mail (e.g., Eudora), webbrowser (e.g., Netscape), terminal emulator (e.g., Procomm), and modem control programs (e.g., Trumpet Winsock). This storage of user name and password is convenient, as it automates the logon process. However, if you store your user name and passwords in logon script(s), then:
You should definitely enable the password setting in the BIOS of your computer, so that a password is required everytime the machine is switched on. You might also enable a password setting in Windows98 or other operating system, to give an additional layer of protection against unauthorized use of your computer.

If other people have access to your computer when your machine is running and you are away from your desk, you should install screen saver software that requires a password to return to the operating system or applications software.

If your computer is stolen, it is possible for the thief to logon to all of your accounts. Therefore, it is essential that you logon to each of your online accounts and change the password for each account immediately after the theft of the computer is discovered.

This remediation includes changing your passwords at online stores (e.g., amazon.com). The information stored on your computer in the cookies.txt file that your webbrowser accesses identifies you to each online store, and could make it possible for a thief to impersonate you and to charge items to your credit card.

Nearly everyone has private data (e.g., medical and financial data on a home computer; business secrets on a computer in the office) on their machine. The same suggestions about a password in BIOS and a password in a screen saver apply if you have confidential or proprietary information on your computer. However, unlike changing online account passwords, there is no easy way to destroy the value of confidential data in files on a stolen computer. Users with very sensitive data (e.g., military secrets, major trade secrets) should encrypt all of their data files.

Related posts:

1. Remembering your password is an art
2. Tips for choosing safe password
3. Windows Password Security
4. Keychain allow password change
5. Firefox overlooked a password bug
6. Elcomsoft have released a new version of their Distributed Password Recovery software

Related posts brought to you by Yet Another Related Posts Plugin.