The Georgetown College ITS department has multiple layers of defense against computer-based threats. Anti-malware and anti-virus software, firewalls, proxy servers… All of these help protect you from the myriad of threats that pop up with alarming regularity each day. However, none of these countermeasures are effective without good
password management. Below are some tips for crafting and retaining a quality password, but before we begin, let’s look at the specifics on why we need strong passwords.
How passwords are compromised
Lack of physical security
Passwords are frequently compromised without any sort of high-tech assistance; the
hacker simply finds your password written down somewhere conspicuous. Sticky notes on the monitor, the back of a business card in the drawer of your desk… those are the first places that hackers look. Don’t make it easy for them!
A technical but straightforward method of password discovery. The hacker has a piece of software that contains a gigantic list of common passwords, and the software attempts to validate them one-by-one. The lists can contain hundreds of thousands (if not millions) of passwords, all of which can be cranked through in seconds with high-end computer equipment. Simple passwords like “password” and “computer” can be compromised in fractions of a second.
The most sophisticated attack. Specialized software attempt to determine the length of the password, and then “guess” the password one character at a time by trying all possible combinations. This is the method you most often see portrayed in TV and movies, although they often exaggerate the effectiveness of this method as brute-force attacks usually take inordinate amounts of time.
What you can do
Fortunately, the risk of exposure from these attacks can be mitigated by just a few simple actions. Here are some of them:
Store your password in a secure place
Committing your password to memory is the most secure, but if you’re afraid of forgetting it, store your written password in a locked drawer or other higher-security location. Just don’t forget where you put it!
Do not reveal your password to anyone
Your password is yours alone; never share it. Although there are rare occasions when ITS may request your password, it will be either in-person or over the phone. ITS will NEVER ask for your password directly through e-mail!
Effective Password Length
A good password should be AT LEAST 8 characters. For every character you add, that’s hundreds or thousands of words that a dictionary attack would have to search through, and one more character that a brute-force attack would have to guess-away at aimlessly.
Use mixed-case characters
For most password purposes, the characters “A” and “a” are as different as night and day. Throwing a well-placed capital letter in here-and-there helps your password become less vulnerable. As an added measure, use capitals in places OTHER than just the first letter. Dictionary attacks are smart enough to look for “Password”, but they might miss something like “pasSwoRd”.
Use special characters
Incorporating special characters (#,@,%,&,!) into your passwords can make them even more secure. The further away you get from everyday language, the harder it is for a password to be guessed.
This is a very effective way to arrive at a password that is easy for you to remember but is extremely difficult to compromise. Substitute numbers and special characters for common letters. For example, “monkey” can become “m0nk3y”. The zero and the three visually resemble an O and an E so the password still reasonably looks like “monkey”… but to a computer it’s quite different.
Do not reuse passwords
Re-used passwords or reused portions of passwords increase the likelihood that a dictionary attack will be successful. Turning “yourfirstname1” into “yourfirstname2” doesn’t really change the overall password signature that much; both would be equally susceptible to a dictionary attack.
Combine all of these for maximum effectiveness
Incorporating all of these elements will give you a password that is secure from snooping and immune to all but the most exhaustive dictionary attacks. It should be noted that brute-force attacks can theoretically crack ANY password, but the time and computational effort involved usually outweighs the benefit and most hackers simply move on to the next target.
Most importantly, change your password frequently
Stale passwords make easy targets. In the event a hacker DOES attempt a brute-force attack on your password, a long password life increases the likelihood the attack will be successful. For this reason, passwords should be changed periodically. Once a year should be considered an absolute minimum; every 90 days is much better.
Password Management Software
There are several effective and widely available tools to help you manage your passwords. Software such as KeePass (http://www.keepass.info) allows you to keep a database of usernames and passwords that you can create randomly and copy/paste into password fields as needed. For more information on password management software, feel free to contact the ITS helpdesk.
If you follow these simple tips, you can sleep better at night knowing you’ve done your part to protect your account (and the college) from easily-preventable security breaches.