Fundamentals and nuances of selecting a password

Password protection is traditionally used in many systems for different purposes. If you are using in this method limits the user access to what he knows (a password). However, this principle is often violated in practice when, for example, users are forced to write down (on paper or in a file) too difficult to remember passwords. As a result, access to the system is implemented on the basis of that I have (note or file with a password), in many cases leads to a significant reduction in the security system.

The issue of optimal choice of a password is very important. Thus, it is impractical, for example, to use a password in the form of 50 alphanumeric strings of random characters to the ordinary e-mail, where messages contain information that is not of critical importance, and are transmitted in clear text. An attacker is much easier to use other weak, than to guess a password.

Of crucial importance is the object for which the password is used. Consider two types of objects. We will share the facilities of importance: low and high. This is quite conditional, and not a classification in the strict sense. Similarly, one can say that the objects of high importance require more reliable and cost of security and safety. However, this classification is not floating. Suppose that in the management of nuclear power plants, there are two remote control (physically, they can be separated at a distance and not be connected logically). One of them allows you to manage the process directly in the reactor, the other - external options: fire alarm and protection of the premises, locking doors, etc. Access to the first panel is critical, because it can directly lead to an accident. However, access to the second panel may allow an attacker to penetrate into the internal space and to obtain physical access to the first terminal. In this sense, the second terminal is also critical and must be assigned to objects of high importance.

Thus, if the current system of high importance there is some object even higher importance, the first system will not be this low importance.

Try to appreciate the importance of some data. If you are thinking of strengthening the protection - it is and should be done. Even if you belong to the category of object low importance - all the same password must be strong so as not to "fall" when searching for weak links. For example, when an attacker has access to accounts and looking for its record with the primitive passwords - they are easily detectable by means of a "dictionary attack". This type of attack is very distributed, and to protect against such attacks, you will greatly improve safety.

Case back in the time to be your secret information. I proceed from the considerations that, in view of the real possibilities should be sought to the maximum security level.

Often the need for a password comes at a time when time is short - and the person chooses a password that can easily remember, for example:

111, 11111, 666, 123, 1234, 12345, 122333, 489t, aaa, bbbb, xxx, qwerty, psw, password, key, psswrd, Jenny555, JohnM, user2, a masterpiece, I am beautiful, against!War.

The only difference is that the latter choose a password by several orders of magnitude harder than the rest. And like a password must be the worst of you use. Even such a password is not suitable if you want to have a great defense. It can save you from prodelok with low levels of computer vandals, but nothing more. However, this does not mean that a good password must be difficult to remember and use.

Most create a password so that it was easy to remember and enter on your keyboard. But it's a bad habit. In fact, quite easy to use passwords that are significantly increase resistance to attack the password selection. There is a need to develop the habit of using secure passwords and keep them in mind even easier than "1237712".

By tradition, the password so consider more reliable than more power sets, elements of which are used to form the password. And usually, as such sets are considering:

(0 - 9) - numerals
{ a - z } - lower case letters of the Latin alphabet
{ A - Z } - capital letters in the Latin alphabet
{ а - я } - lower case letters of the national (in Russia - Russian) alphabet
{ А - Я } - capital letters of the national alphabet
{ ~!@#$%^&*()_+,. (~!@#$%^&*()_+,. ... } - Punctuation marks and special characters
{ Characters entered using a special keyboard or by using the codes of these characters }

As well as combining these different sets. In real life, the first set is used much more often than the latter. Moreover, the attacker often uses a frequency analysis. For example, the "favorite" numbers are 0, 1, 3, 7, a combination of 123, 111, 222, etc. Among the characters: a, aaa, xx, and others. The preferred punctuation marks are !.,?@#+. This, apparently, can be the rationale from the perspective of psychology.

This means that the password should be used simultaneously, and lower, and capital letters, numbers and special characters. But it should be remembered that the password aA1! is not so reliable.

In principle, any character can be - in the code - for example, in one version of Unicode (and is a huge set of characters), if a program in which the password is entered, supports that encoding. It may also be nepechataemye characters that are entered using the codes of these characters.

The length and meaningfulness password. The ideal password is a sequence of maximum length of random characters (although, in some systems, increasing the length can not increase or even decrease (!) Its reliability). However, the reliability of passwords that do not satisfy this condition may also be sufficient for many applications.

Thus, when choosing a password you need to decide whether to keep it or whether it will still have to be stored on any media. Next, we provide recommendations for both cases. For the first case, you can create a sufficiently strong passwords that you can easily remember. In the second case, make the passwords of random characters and store in a safe place. To generate the passwords, you can use generators and storage - the program managers passwords. Programs may combine these functions.

In English, the word "password" literally means "the word for the pass". I emphasize - the word. Here again the case in psychology. Perhaps, this is called mentality. Nevertheless, it seems to me that this is even able to influence that as passwords used cat, table, John, naively believing: "Isn't it a passWORD?".

I strongly recommend people NOT to use such "passwords" as a password!

Fortunately, in the English language literature are increasingly using the term "passphrase", which forces the current reality. And it is much closer to what I want to tell you.

Say, "password"-th (ie, primitive password) may be one of thousand of common words (which, although optimistic, but close to reality). If you use a random set of two words, it becomes a million options. If you take those three words - a billion. If the five - a million billions!

Of course, if words similar in meaning (which is effectively used in selecting passwords of the two words), for example, be a proposal, a number of options is reduced. But given that you are free to operate the register, to choose punctuation, etc., then the order of complexity remains.

Thus, I recommend to use a password phrase from four or more words, and characters should be great. And while your passphrase must not be the first sentence of the book lying next, especially when everyone knows that it is - your favorite. Best phrase - invented by you and one you know, with less in a logical sense - the better. For example:

acacia pleased with its beauty

Consider the drawbacks: acacia pleased pleases her pleases beauty, their beauty - common phrases. Let's try to fix it:

acacia out! stylus over beauty

Here we use a feature of our brains: to remember the unusual things. Such a password may be even easier to remember. In order to create such alogismes - easier not to think - then they appear. And it is much more difficult to "hack"/predict these random bursts of the unconscious.

This is quite suitable option, but we are still a bit transform it:

acacia-OUT!/stylus/Above/Beauty

Moreover, this transformation (first phrase simpler - but because it complicated) helps here is: if you did write the password, you may be able to justify themselves to the fact that recorded the first version of a password. First, the less noticeable it is the password, and secondly, even if anyone had to guess - it was changed, and how to change it - only you know (but do not forget:)).

To cite one example, why not use a space character in the password. In most keyboards, pressing on the non key is accompanied by a characteristic "click" - pushing the sound more loud than the other keys. That is, listening can identify the number of spaces in the password (hence the number of words) and the approximate number of letters between them (the length of words).

An attacker often does not commit an attack directly on your here or register an account. It can analyze a base here or register an account, and crack those whose password has been weaker. Among them may be your. So take steps to avoid it.

Ok. Now you're using a really good password. But just in case decided to write it, so as not to forget. You have decided to create a computer file and save a password? Maybe the file is called "password.txt" and stored on your desktop? Better to use the special program - password manager. The basic principle of these programs - you memorize only one password - to enter with the program, and all the other passwords are stored program (usually encrypted).

You do not trust the very technologies? And decided to keep the password stored on the leaf is something like:

Password for the mailbox mymail@bestmail.ru
mysecurepass_utfj8g5Wp8s5453

Preferably not write, for which the password. Do not write a login, not to write a server / service. You are most likely know so. This is done in extreme cases (little here or register an account, etc.).
The point is that if you lose a leaf - a man who found it, would be able to use these data. If the leaf is just a password - this can seriously hamper the possibility of unauthorized use, especially if you use a special type of passwords - to protect themselves from such cases. Consider an example of how to create a password.

Well, when the password is not looking like password. When a person who found your leaf with a password, not guessed what it is - and threw it away. That mysecurepass - is a password - guess many, utfj8g5wp8s5453 - is also likely the password, say some of them. If the leaf is written:

8-495-390-11-03 Margarita

, many think that this is phone number (the main thing here is not to forget yourself, what is it actually). If this is a real Margarita's number (it is desirable that you do not have any relation to she - for example, the number is derived from a common directory at random) - you are likely to be saved from those who decided to call this number.

This text merely demonstrates the method of approach - you need to pay more attention to security, as agreed. Security in digital/virtual world. In the real world, people who fear for their safety and property, put the locks and alarms on the premises. In the world of computers as often leaves the door open.

To get a summary, read the following list of recommendations:

1. Attributed to the creation of any password, seriously, be cautious. To develop a good habit to use a secure password.

2. If you need to remember a password - use the principles of creating a reliable and easy-to-remember passwords:

- Password must be sufficiently long (at least 8mi characters);
- Your password must include both lowercase, UPPERCASE letters, numbers and special characters. If possible, use additional characters;
- In the password should be as small as possible any logical meaning of the various patterns;
- Complex password more secure, but it may be inconvenient to use - search for a compromise.

3. Even if you had to create a password in a hurry and you have used a primitive password (for example, it was not possible to write down or remember) - or delay - and change the password on a more reliable in the very near future. We're constantly rushing, but compromise the password can cost a lot of time and other resources.

4. If you store the passwords or write - use the program generation and encryption of passwords.

5. Keep a backup copy of your passwords in a secure place.

6. Use other tricks and invent their own - this is interesting;)

admin

Published (eng. ver.): 26.04.2009

Last modified: 26.04.2009

This page is translated automatically by Google Translator with some corrections

© 2008-2009 CRYPTOSOFT.INFO. Remember that each instrument has its own author. Using materials reference to site obligatory www.cryptosoft.info