There has been a lot written about creating secure passwords, but still passwords are guessed and systems compromised every day. It is helpful to understand how the password-guessing programs work if you want to beat them.
Offline password-guessing programs are getting faster and smarter. Access Data sells a product called Password Recovery Toolkit (PRTK). Depending on the software it is attacking, it can test up to hundreds of thousands of passwords per second.
The first attack it performs is to test a dictionary of about 1,000 common passwords, things like letmein, pswd1, 0000, 1234. Then it checks those with about 100 common appendages. Most passwords consist of a root and an appendage. Ninety percent of appendages are suffixes and the remaining 10% are prefixes. Some of the most common appendages are abc, 123, 4U, 1.
After this step PRTK looks though an increasingly-complex root dictionary which includes a common-word dictionary, a names dictionary, a comprehensive dictionary, then a phonetic dictionary. It also runs an exhaustive four-character-string search. It runs the dictionary with all lowercase (most common), initial uppercase (second most common), all uppercase and final uppercase. It also runs the dictionary with common substitutions such as "@" for a, "$" for s, "1" for I, "3" for E and so on.
When it gets to appendages, the program looks for:
All two-digit combinations.
All dates from 1900 to 2007.
All three-digit combinations.
All single symbols.
All single digits, plus single symbols.
All two-symbol combinations.
Research indicates that it is much more common for someone to choose a hard-to-guess root than an unusual appendage.
To create a difficult or impossible-to-guess password, use these tips:
· Chose something not on any of the root or appendage lists.
· Mix upper and lower case in the middle of the root.
· Try two roots with an appendage in the middle.
· Use the first letter of each word in a sentence from a song or poem.
· Add numbers and/or symbols in the center of words, e.g. Ch8oc6olat5.
· Remove vowels from several short words, e.g. bmVlntn (be my valentine).
Another technique is using pass phrases instead of passwords. Use words that ordinarily would not be together, the longer the better, and include numbers and symbols. A few examples might be Diction%arydog5clEAred, pudd7ingwhist1e, gregar8io4usSne2kErS.
You can have some fun creating unique and hard-to-guess passwords. Use phrases you will remember, but change them often. There are several password management programs that will help you remember your passwords. Check out Password Safe, a free open source program that is downloadable from passwordsafe.sourceforge.net.
Reach Mary at mpowell@a1teletronics.com.
© 2007 Telecom Reseller. All Rights Reserved.