Passwords are the primary way various systems, networks and applications verify that the user logging into the system is who he claims to be. This is why password security is enormously important for protection of the computer user, the workstation, and the network.
We all know that we should use secure passwords. However, it has been tried and proven that the majority of computer users use some of the simplest passwords to log into them home, business computers or to carry out online transactions. For their part organisations do their best to educate users to use stronger passwords but time after time the computer users fail to comply with any of the password security requirements or sometimes they complain that password policies and restrictions are making computer use too complex.
One of the problems with passwords is that users forget them. In an effort to not forget them, they use simple things like their dog’s name, their son’s first name, celebrity names, and birth date, the name of the current month – anything that will give them a clue to remember what their password is.
I have to confess that passwords are annoying. In the present age, almost everybody needs some kind of password or PIN everywhere. We have so many that we can’t keep track of them all. We forget to update them; and when we do, it’s difficult to come up with effective ones that we can still remember, so we procrastinate changing them for months, even years. We all know this is bad, but the alternative – the painful, irritating password creation and memorisation process – is most times more than we can tolerate.
How do I know your password?
While passwords are a vital component of system security, they can be cracked or broken relatively easily. Password cracking is the process of figuring out or breaking passwords in order to gain unauthorised entrance to a system or account. It is much easier than most users would think.
There are many ways out there that can be used to crack or obtain passwords. These include, Dictionary attacks, Brute force attacks, Social engineering, Password sniffing, Key logging and others
There are also a plethora of tools readily available that can be used by any dedicated person to exploit and crack passwords on any system or network. With enough time, motive and resources any password can be cracked and hence users and organisations should not depend on any false sense of security but should take proactive measures to implement layered security on top of just using passwords. Examples are 2 or 3 factor authentication mechanisms and encryption
Good Password Security Guidelines
Now that we know that someone somewhere out there in a bunker or enjoying some sun on a nice remote beach can grab or steal your password, users should by all means try to create secure passwords.
When creating passwords, it is advisable to follow some of the following guidelines:
- Avoid using default passwords
- Avoid using the easily guessable and common passwords
- Do not use known words in local vernaculars like Shona and Ndebele — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is of little use.
- Do not use hacker terminology
- Do not use personal information — Steer clear of personal information. If the attacker knows who you are, they will have an easier time figuring out your password
- Do not invert recognizable words — good password checkers always reverse common words, so inverting a bad password does not make it any more secure.
- Do not write down your password — never store your password on paper. It is much safer to memorize it.
- Do not use the same password for all machines and applications — It is important that you make separate passwords for each machine, application or sites. This way if one system is compromised, all of your machines will not be immediately at risk.
- Do not share your password with anyone, even your sweetheart…ooops)
Change your passwords regularly and you should also not re-use a password for at least a year.
- Use different passwords. You should use different username and password for each login or application you are trying to protect. That way if one gets compromised the others are still safe.
- Use a pass phrase. Rather than trying to remember a password created using various character types which is also not a word from the dictionary, you can use a pass phrase…..these are easy to remember e.g. 1nHr3@mb^re-mu5iKa = in Harare at mbare musika.
- Make the password at least eight characters long — The longer the password is, the better.
- Organisations should create password enforcement policies and strong awareness programs
- Build a password with at least the following character sets, uppercase letters lowercase letters, numerals (1, 2, 3); special characters ($, ?, &, ^); and alt characters ( µ, £, Æ.)
Finally, passwords are just one piece of the puzzle. Other pieces are general user education, good physical security, plugging and patching network holes, and installing strong firewalls. These provide much more global and in-depth protection from the perils of the hackers.