Why do we need to have a "strong"
password?
Currently, passwords are our only protection
against the confidentiality of data, since they are the only part of a
username/password combination that truly remain secret. This protection extends
to your company data, in the case of information that is protected with your Windows
logon, to your own personal data.
Current viruses and worms come pre-programmed with a large list of weak or
common passwords, allowing them to access your machine effortlessly if one of
these passwords match the one on your account. [Note that now, some viruses
have started to target accounts in applications such as Microsoft SQL or MSDE
that have weak passwords. It is important to be aware to choose strong
passwords in applications as well as for login accounts.
What are some things to avoid when selecting a
password?
Never
use the name of a pet, spouse, or child as a password, as these can be obvious
choices to anyone wishing to attempt to access your account.
Telephone numbers, birth-dates and other personally identifiable information
are also not a good choice, as they are also easily guessed.
Words that are in the dictionary of any language are also poor choices. Many
programs designed to guess password are programmed to try these passwords
first.
Simple substitution (i.e. changing '1' for 'I' or '2' for 'Z') is not a good
strategy, as many password guessing programs takes these sorts of substitutions
into account.
What are some good strategies to selecting a
good password?
The paradox in the security of passwords is
that in order for a password to be strong is that it needs to be hard to guess.
In order for it to be useful to the person who needs it, it needs to be easy to
remember. If it is hard to guess, it is not usually easy to remember. The trick
is to make the password something that is meaningful only to yourself.
For example, you could take the phrase "I like to eat Apple on Sundays."
(Assuming that you do like to eat kiwis on Tuesdays.)
- This can be abbreviated as ILTEAOS.
- By inserting some special characters into the phrase,
this can be expanded to IL&TE$AOS.
- By adjusting the case of some of the letters, you can
make this even more difficult to guess: Il&tE$aOs.
Therefore - you have your own personalized
password that is easy for you to remember, but very difficult for someone to
guess.
Of course - keep in mind that this example, and any others that you may read
on-line would be bad examples to use for passwords, as they as people with bad
intentions can read them just as easy as you can.
What are some good strategies to protect my
password, now that I have chosen a strong one?
Never
write your password down on a post-it-note, or try to hide it somewhere around
your workspace. There truly are not very many original hiding spaces, and
anyone who has access to your office would have an opportunity to find this
valuable secret.
Never provide anyone with your password. No one needs to know your password but
you. If you forget your password, support personnel have the ability to reset
your password, but you should never be asked to reveal your password.
There is mention of "strong"
passwords, but not "secure" passwords. Why is this?
This
is intentional. Passwords are generally not considered secure, since it is only
a matter of time before a password cracking program will be able to decipher
them, or guess them through brute force. This is one of the reasons that it is
required to change your password regularly, currently every 3 months. As
computers become more powerful, cracking passwords becomes faster, and the need
to change to a new password more frequently becomes even more important.
Until
then, you can always follow the advice of Clifford Stoll, and treat your
password like a toothbrush:
o Get a good one
o Use it every day
o Change it regularly
o Never share it with
anyone.
|
|
Note: the legacy Cisco VPN client (5.0.07.0440 for x64, 5.0.07.0410 for x86) is working for some people.
