Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Tip of the Day: Strong Passwords InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip of the Day: Strong Passwords

Published: 2006-08-01
Last Updated: 2006-08-01 10:59:49 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This is the first in our "Security tip of the day" series. Guess since I mentioned strong passwords, I got a lot of tips about how to pick them. So lets get that out of the way with our tip #1:

Probably the easiest way to pick a better password is to move to pass-phrases. Instead of a word, a pass-phrase is a sentence. For example: "This is a good password" vs. "password". Obviously, passphrases are much harder to brute force. The can still be guessed. But "My favorite pet's name is Fluffy" is much harder to guess then just "Fluffy".

You may still play the usual tricks and substitute certain letters with "leet speak". "My f@vorit3 pet's name is Fluffy".

In some cases the size of your password may be limited by the system. In these cases, you can use just the first letter of each word in your passphrase.

Not everybody agrees with it, but I do recommend to use a set of passwords for different uses. Use a throw away password for all the random web sites you have to register (e.g. your favorite news paper and such). A second password for things like online forums you contribute to (a bit more tricky as if someone gets that password, they could damage your reputation by posting in your name). Lastly: Be careful what you allow the web site to store. You may not care if anybody knows your order history for an online store. If so, you could chose one of your commodity passwords. But its different if you allow the site to keep your credit card number.

How to store passwords: There are a number of "password safe" applications that are usually pretty good. I am not too concerned about how well they protect your password once a person broke into your system (either physically or remotely). If they do, then its usually "game over" anyway as they will not get the info they need via keyloggers and means like that. Same for writing down passwords. You probably don't want to use Post-It notes at work. Too many people usually have easy access to your desk. But at home: Write your passwords down and keep the sheet close to the PC. Maybe obfuscate them a bit by writing them down backwards. But if a burglar breaks into your house, a lost online banking password is probably not a huge deal compared to the other damage and easily changed.

For your awareness program: A couple universities came out with nice "Passwords are like Underwear" posters. (a Google search will reveal others if you don't like this particular version).

Fellow handler Don Smith also noted that in the Denver area a number of car break ins have been linked back to identity theft.

With that: No more tips on strong passwords! I want tips on how to avoid using passwords ;-). Or if you got an other security tip, please let us know via the contact form. After all: August is security tip month!

I would like to thank for contributions for this tip:
Micha Pekrul, Frank Hieber, Dan Kirk, Christopher Vera and my fellow handlers.
Keywords: ToD
0 comment(s)
Diary Archives