Weak Passwords

Your password is the key to your computer -- a key much sought-after by hackers as a means of getting a foothold into your system. A weak password may give a hacker access not only to your computer, but to the entire network to which your computer is connected. Treat your password like the key to your home. Would you leave your home or office unlocked in a high crime area?

Experiences described in Case 1 and Case 2 demonstrate the importance of passwords and how hackers learn them and exploit them.

Too many passwords are easily guessed, especially if the intruder knows something about their targetís background. It's not unusual, for example, for office workers to use the word "password" to enter their office networks. Other commonly used passwords are the computer user's first, last or child's name, Secret, names of sports teams or sports terms, and repeated characters such as AAAAAA or bbbbbb.

  Your computer password is the foundation of your computer security, and it needs to stand up against the tools that hackers have for cracking it. There are 308 million possible letter combinations for a six letter password using all upper case or all lower case letters. Password crackers that are readily available on the Internet at no cost can check all of them in about 2 minutes.

With some combination of both upper and lower case letters, a six letter password has 19 billion possible combinations. If you increase the password to eight letters and use both upper and lower case letters, there are 53 trillion possible combinations. Substitute a number for one of the letters, and there are 218 trillion possible combinations.

With eight characters, including at least one upper case letter, lower case letter, number, and special character or punctuation, there are 6,095 trillion possible combinations. This is still crackable, but requires a more sophisticated program, a far more powerful computer, and far more time.1 Adding more characters makes it even more difficult to crack.

Here are some simple guidelines for selecting a strong computer password.

  • It should contain at least 10 characters.
  • It should contain a mix of the four different types of characters -- upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*.  Do not use a forward slash, backward slash, or period.
  • It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address. Do not use any known set of numbers such social security number, date of birth, license plate, or phone number.
  • You should be able to type it quickly, so that someone looking over your shoulder cannot readily see what you have typed.
  • And it should be easy to remember so that you don't need to write it down. If you do write the password down, it must be locked in a secure container approved for the same level of classified or other protected information as your computer.

There are several tricks to developing a password that meets these requirements but is still easy to remember.

  • Replace vowels with numbers or symbols that represent the letter (for example, @ for a or 3 for e).
  • Spell a word phonetically (for example "microphone" becomes "mycrowfone").
  • Pick a familiar phrase and use the first letter of each word (for example, "To boldly go where no man has gone before" becomes tbgwnmhgb").

The password used for logging on to your office computer should be different from the password you use to log in to a web site on the Internet. The password used to log in to a web site is far more exposed to potential compromise. Any time you log in over an external network, your password is vulnerable to being stolen unless it is encrypted. Using a separate and unique password for your office computer helps protect the security of the office network.

Once you have selected an effective password, protect it. Resist the temptation to write your password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on your automated teller machine (ATM) card, would you? You should have different passwords for different accounts, but not so many passwords that you can't remember them. Do not allow anyone to observe your password as you enter it during the logon process.

Do not disclose your password to anyone, not even to your systems administrator or maintenance technician. They have no need to know it. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for your password, be suspicious (for reasons discussed under "Social Engineering" and in Case 2).

Use a password-locked screensaver to make certain no one can perform any activity under your User ID while you are away from your desk. These can be set up so that they activate after the computer has been idle for a while. Strange as it may seem, someone coming around to erase or sabotage your work is not uncommon. Or imagine the trouble you could have if nasty e-mail messages were sent to your boss or anyone else from your computer, or your account were used to transfer illegal pornography.

Owing to the important of user identification and the many problems with passwords, considerable research is now focused on the development of biometric identification systems. In the future, password access to networks containing sensitive information will probably be replaced by some form of biometric identification such as a fingerprint scanner.2

1. Numbers and times are from a password checker that was available at www.symantec.com. This password checker is no longer available at the Symantec site. 
2. "Fingerprints May Soon Replace Passwords," National Security Institute Advisory, December 1998, p. 5.