
Passwords
Why use passwords ?
When should I use passwords ?
How should a password be created ?
What are the reasons to use a password ? well, there is not so much, but at least an important one : to protect your datas and your privacy. Nowadays, there is so many ways for anyone to collect such things, especially if there are lying on a disk connected to the internet :-), that you cannot expect to be the one at whom "That will never happen...". If you believe that, it's probably too late for you.....
Even if you are working in a non-networked environnement, there is still many risks : anyone who have a physical access to your computer. Even at home, you are not safe. Who will came and have a look when you are not behind their backs ?
When a password should be used ? each time you have the ability to set one. In many products you can protect a document with a password. Notice that the fact that there is way to password protect your document didn't mean that your document are protected. A lot of software are using a password to internaly access the document, but data are written in clear text on the file, viewable by any other software, or the pasword itself lie somewhere in clear. Which basically mean : no protection.
A *good* (well, relatively at least..) software use the password to encrypt the content of the document, and the password didn't show itself anywhere on your computer. Again, notice that many of them are using very WEAK encryption scheme. Which mean LOW protection. But at least, with those one, you can protect your datas from users which have no or little knowledge on encryption.
But, you can render everything useless if you don't take care of the way you'll build your password. Because actually, passwords could not be as simple as a word, a name, a date... With the power of actuals Personnal Computer, anyone can run a dictionnary attack or even a brute-force attack with success on a short range of time. Even if dictionnary attacks are the most common type of attacks you'll find for many softwares.
A password should not be limitted to the use of letters only. And certainly not all lower or uppercase. There is various way of creating a brute force attack, but all basics ones will works on several blocks of letters to reduce the time needed to crack a password, for example :
Set 1 : abc....xyzABC....XYZ
Set 2 : abc....xyzABC....XYZ01..9
Set 2 : abc....xyzABC....XYZ01..9+-_?....\/&
Using Set 1 considerably reduce the time of the attack, so the most obvious set to use in a password is the lattest one....
Second consideration to take in account, there is others quick ways to crack a password list with results, dictionnary attack are based on lists of words that could be used as passwords. If a user protect is datas with a common word that may be on a wordlist, then you're not safe. So another consideration come here : DO NOT USE COMMON WORDS AS PASSWORDS.
A good password should be a phrase, or even better, PARTS of a phrase where you will modify few letters changing them by symbols (eg. replace the o by 0, the i or the l by 1, change each a by -, etc..)
Let say you have a brown dog wich is always barking. You get an easy reminder for that, so you can use a phrase like 'i own a brown barking dog'. Then, you will replace some letters, making few single scheme of your own, to finally get something like 'I_0wnabR0wnbarkIng_d0g'. Bet that will be harder to crack than the use of the name of the dog in question.. :->
But you should carefully consider the use of a too complex scheme. There is two thing to remember when assigning password to a document :
1 - ALL passwords are crackable. Is only a matter of time and money. So you've got a good password for one information when the money spent to crack the password will be greater than the value of the information.
2 - You should NOT use always the same password. If you do that, once a document is unprotected, access to the whole world (your world) is granted. So you should often change yours passwords, use differents ones for each kind of datas.
(C)opyRight 2001 - KLF
All Rights Reserved.