Passwords: “Long, Strong, but Memorable”

 

1. Read Background
2. Complete lab assignment
3. Complete Security Checklist
4. Answer Discussion Questions

Background

top

Summary:

Confidentiality is one of the three pillars of computer security. The other two being integrity and availability. Confidentiality depends upon authentication. The most popular form of authentication in use today is the password. But there are problems with passwords. “People can’t remember strong passwords, and the passwords they can remember are easy to guess.”

Description:

A password is an authentication mechanism used to verify if a user is the legitimate owner of a user ID. Hackers can use attacks, such as brute force (which is a type of attack that relies purely on trial and error) and dictionary attacks (that attempt to crack a password by testing it against a list of dictionary words) to guess your password and use this information to commit illegal or undesirable acts in your name.

Risk – How can it happen?

When you use an easily guessed password, such as your user ID, any name, or a word from the dictionary; your password becomes an easy target for brute force and dictionary attacks. When you use a strong password but write it down and stick it to your monitor, place it under your mouse pad, in your drawer or write it in a book; your password could be stolen.

Example of occurrence:

On Sunday, January 4th, 2009, a hacker known only as GMZ, used a tool he developed to launch a dictionary attack against the account of a Twitter user named Crystal. The program ran for several hours overnight automatically trying different English words. When “he checked the results Monday morning at around 11:00 a.m. E.T., he found he was in Crystal’s account.” GMZ soon realized that Crystal was actually a Twitter staffer with administrative privileges. He was able to compromise several high-profile accounts by resetting their passwords and making them available to fellow hackers. Some of these included the accounts of President Elect Barack Obama, Britney Spears, CBS News and Fox News.

Weak Password Brings ‘Happiness’ to Twitter Hacker http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

How to determine the strength of your password?

The following is a partial list of some checks you might perform to determine if your password is good:

  • Memorability: you should be able to remember the password
  • Length: the password should be at least eight characters long; but generally, the longer the password, the stronger it will be—Windows XP allows up to 127 characters
  • Alphanumeric characters: the password should include both letters and numbers
  • Upper- and lower-case: the password should include both upper and lowercase letters
  • Punctuation and non-alphanumeric characters: it should include one or more characters, such as #, $, !, @ and punctuation marks, such as the period and comma.

One method to help construct a good password includes the following steps: (1) make up a sentence you can easily remember, (2) take the first letter of every word in the sentence, and include the punctuation; throw in extra punctuation or change numbers into digits for variety. Here are some examples:

Password How to remember it
Mrci7yo! My rusty car is 7 years old!
2emBp,1ib 2 elephants make bad pets, 1 is better
ItMc?Gib. Is that MY coat? Give it back.

Laboratory/Homework Assignment

top

Complete the security checklist (print) for each (password, password hint) pair below. Also list any problems with the password or improvements you suggest in the space provided.  The first question is completed for you as an example.

    1. Password: Ihtk:JaJ.         Password hint:I have two kids: Jack and Jill.

 

Security Checklist – Answer for Question1

Vulnerability: Weak password Course: Computer Literacy    
Task – For each password, decide whether following criteria are met: Yes/No N/A
1. Is the password at least 8 characters long? Yes  
2. Is the password memorable? Yes  
3. Does the password contain alphanumeric characters? No  
4. Does the password include both upper and lowercase characters? Yes  
5. Does the password include punctuation and/or other non-alphanumeric characters? Yes  
If you answered no to any of the above questions, then your password is weak.

Problems: Password could be made stronger by including a number

 
 
  1. Password: Mlmc,&mlmiw!       Password hint: Me luv me cookie, and me luv me ice water!
  2. Password: Ychf,L.Gyttds.        Password hint: You cannot hide forever, Luke. Give yourself to the dark side.
  3. Password: IlteD&Aic.                Password hint: I like to eat Dave & Andy’s ice cream.
  4. Password: N,tcoWiC!                 Password hint: No, the capital of Wisconsin isn’t Cheeseopolis!

Security Checklist

top

 

Security Checklist

Vulnerability: Weak password Course: Computer Literacy    
Task – For each password, decide whether following criteria are met: Yes/No N/A
1. Is the password at least 8 characters long?    
2. Is the password memorable?    
3. Does the password contain alphanumeric characters?    
4. Does the password include both uppercase and lowercase characters?    
5. Does the password include punctuation and/or other non-alphanumeric characters?    
If you answered no to any of the above questions, then your password is weak. Problems:  

 

 

 

Discussion Questions

top
  1. If a longer password is more secure, why not just use the entire sentence instead of picking the first letter of each word?
  2. Exercise: use Password Checker to verify whether your passwords are strong enough. Password check is a Microsoft tool and is available at:

http://www.microsoft.com/protect/fraud/passwords/checker.aspx

  3.  Click here to watch a video on "passwords to avoid and other safety tips".To watch the video later, click    

 
Copyright © Towson University