Knowledgebase

 

Creating Easy-to-remember & Strong Passwords

Listed below are the most mentioned points of consensus among security experts on what a strong should be:

• It should be at least eight (8) characters long.
• It does not contain your username, real name, company name, or the name of someone close to you (e.g. spouse, children, pet).
• It does not contain a complete word, contained in any dictionary.
• It is significantly different from your previous passwords.
• It includes a combination of upper and lowercase alphanumeric characters and symbols.

Instead of thinking “password,” think “passphrase.” Stringing a unique or nonsensical phrase together to form a password will help you remember it better. See the examples below:

Example 1

Source phrase: Ann’s birthday is April 13.

Password created: aNNbi/04-13!

Example 2

Source phrase: Crazy monkey likes cotton candy

Password created: CraZM0nk3y <3 c0tc4nD

• You can substitute letters with numbers and symbols.
• Some websites also allow using spaces in your password.

Password Security Dos & Don’ts

 

Alternative to Passwords: Public Key Authentication

Public key authentication is a more secure and flexible way to identify yourself to a login server. It is, however, more difficult to set up. In this verification process, you first need to generate a key pair consisting of a public key and a private key. The private key is used to generate signatures. You then copy the public key to the server under a certain name. When the server asks you to prove who you are, you can generate a signature using your private key. The server then verifies that signature and allows you to log in. Thus, if that server gets compromised, the attacker does not gain your private key or password; they only gain one signature and signatures cannot be re-used, so they get nothing.

There are several public-key algorithms available. The most common of which is the RSAand the DSA (also known as DSS), the US’ federal Digital Signature Standard.

Access these links for more information on public key authentication:

• https://help.ubuntu.com/community/SSH/OpenSSH/Keys
• http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html
• http://winscp.net/eng/docs/public_key

 

Password Storage For Developers

Never store passwords in plain text as this makes it very easy for just about anyone to pick the passwords off that list. Encrypting passwords is also not an entirely secure option as anyone with admin privileges can decrypt them. 

The best way is to store a cryptographic hash of the password. The most popular password scramblers are MD5, SHA-1, SHA-2 (a family of hash functions: SHA-256, SHA-384, SHA-512, and more), and SHA-3 (another family of hash functions). Note however that it is best not to use MD5 as its original author declared its end-of-life as it is no longer safe to use on commercial website. The same goes for SHA-1, which had several published theoretical attacks done to it.

 

Password Threats

Real-world Social Engineering. These threats include actions done in the real world or those used to manipulate an into steal information. An example can be nabbing a password written on a post-it lying about after luring a user away from her computer. Another way is to impersonate an IT engineer and ask another employee to give the password over the phone. One more example is when a malicious user tries to guess a target’s password by learning some information about that person and using these gathered bits to piece together the password.

Keyloggers. This type of surveillance spyware can either be a software or hardware that records every keystroke you make on your keyboard. In malware attacks, these components send the information they gather to the cybercriminal.

Sniffers. They look at raw data transmitted across a network and decipher these before packaging and sending them over to the perpetrator. It sniffs and reads every keystroke you send out from your machine, including passwords.

Brute-force Attacks. These attacks can be done physically or by using malicious bots and worms. They are exhaustive key search that systematically checks all possible words or keys until the right one is found.