next up previous contents
Next: Password Sniffing Up: Passwords Previous: Passwords

Password Guessing

As you may know, your password is the secret thing you type when you login to the computer. Everybody knows your ``username''. After all, that's your email address. But nobody is supposed to know your password. The HSEAS computer use policy explicitly prohibits sharing your account with others, in practice that means not letting others know your password.

If an attacker can find out your password, they've obtained complete access to your account. That's why hackers will expand a tremendous amount of effort to get your password.

The most common way a hacker will try to get your password is via a ``dictionary attack''. In a dictionary attack, the attacker takes a dictionary of words and names, and tries each one to see if it's your password. They do this with programs which can guess hundreds or thousands of words per second. This makes it easy for them to try lots of variations: word backwards, different capitalization, adding a digit to the end, and so on.

In addition, the hacker community (and the system administration community) has built large dictionaries which are designed to ``crack'' passwords. Using words from foreign languages, or names of things, people or towns is no protection against current password crackers.

Hackers will also scan your files, trying to find words to guess as your password. Using a chemical formula is no good if you're a chemical engineer, since a hacker may find such a formula somewhere in your files (actually many hacker dictionaries include some chemical formulas). Hackers routinely use your .plan file to get hints as to your password. Famous dates are in most hacker dictionaries.

A good password is easy to remember, but hard to guess. The best way to make a password ``un-crackable'' is to make it appear random. Remember, you can always insert digits and punctuation in a password. Our favorite way to think of passwords which appear random, but which are easy to remember is to:

  1. Take a phrase, or a line from a poem or a song. It needs to be at least 8 words long
  2. Take the first letter from each word, and use it as a character in your password.
  3. Take advantage of punctuation.
  4. If you can't think of one that's long enough, you can use a shorter one and pad it at the beginning and end with digits.

For example, the phrase:One for all, and all for one yields the relatively un-crackable password:Ofa,&af1

next up previous contents
Next: Password Sniffing Up: Passwords Previous: Passwords

Del Armstrong
Fri Oct 25 16:31:41 EDT 1996