General Discussions

**Learning Newbie** · 09-26-2007, 07:22 PM

Write the password on a sticky and tape this to the server
Don't use it - a client of the company I work for got hacked, and even tho all of their main systems were encrypted, the attacker got access to the network file system, and downloaded pre-encrypted data. The good news is they've been using encryption since 2000 or 2001, so all the credit cards the hacker got were expired. Still, whodathunkit? Backup files on a NAS server being high value data.
Use a name or word. If it's in some kind of dictionary, it's out of the question. The whole goal of encryption software is that the weakest link should be the humans and their passwords, and we generally got there. Attackers know they'll gain access faster by going through a bunch of words than throwing letters together at random. Never ever ever use the name of a loved one!
If you have to use a real word or acronym, mis spell it. Replace some letters with numbers - anyone who ever got a spam email knows how to do this. Just think of p0rn and making your ***** bigger. That's not just for spam, let's put that technology to good use and have stronger passw0rds. Spelling something rong is even better, because how long will it take to add 0 for o and 1 for i to the script kiddies plan of attack?
Don't allow for a range of password lengths. If an attacker knows all passwords are 8 characters, that's a lot less work than knowing they're 4 to 16 chars. You'd have to check every possible 4 digit combo, then move on to every 5 digit, then every 6, etc. If the public can create accounts, if they type hi for a password, just say it's not acceptable, don't say "Your password must be 7 characters long."

The backup one really threw me. And then that got me thinking. So I wanted to share these ideas. Surely people can come along and give more wisdom - this is a group endevour.

**Learning Newbie** · 09-26-2007, 07:41 PM

Abraham Lincoln reportedly said that, given eight hours to chop down a tree, he'd spend six sharpening his axe.

-- TidBITS 654, quoted by Derek K. Miller, via Art Evans

**DaveMo~** · 09-26-2007, 08:16 PM

I agree with LN that it's better to misspell words and to add the elite talk to it. However, it seems now that some hackers/crackers are catching on to adding the l33t to their attempts. Making a sentence in l33t is not the best, but better than just outright spelling it.

For example:
okay, but not good = meforbanking
better, but not great = me4banking
better yet, but still = me4bank1n

Yeah, that helped me to remember that I'm an accountant at a large banking firm and no one will ever get that. Maybe.

So what's a good one? Hopefully that accountant will let a password generator make one, like Qk2NxpPb. Yes, he'll have to memorize it or put it on a paper in his wallet and hope no one finds it. Gee, encrypt it on the paper by writing the actual password between other random letters so that his password on the paper might look like aQzkf2lNxxwpaPob.

If you have control over what is acceptable for the encryption, don't just make all letters the same (like A = a) and use numbers (0 - 9); add in special characters and make a difference between caps and lower case.

[/rant]

Dave