SlideShare a Scribd company logo

PASSWORD BEST PRACTICES

Razorpoint Security
Razorpoint Security

The document provides guidelines for creating strong passwords to protect networks and data. It recommends passwords be at least 8 characters long, using a mix of uppercase and lowercase letters, numbers, and punctuation. Passwords should not use personal information, common words, or be written down where others can see. The guidelines emphasize changing passwords regularly to reduce the risk of hacking.

Technology
1 of 4
Download to read offline
Author: Razorpoint Security Team Version: 1.5 Date of current version: 2006-05/01 Date of original version: 2001-04/04 Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved. Password Best Practices ™ [ WHITE PAPER ]
Password Best Practices One of the most overlooked areas of network security is the use of “good” passwords. Extreme care should be taken in choosing your password. If your password is easy to guess, someone may be able to access or steal your data, your money, or your identity. To protect your data, your network, and yourself to some degree, you must select good passwords and secure them carefully. Users are responsible for assisting in the protection of the systems they use. As an Internet security measure, computer and network passwords should be changed regularly. Additionally, the use of different passwords for different systems is recommended so that if an intruder cracks one password and gets into one computer, that same password won’t automatically allow access to other systems. Choosing good passwords can be thought of as more art than science. Criminal hackers (a.k.a. Crackers) have tools that can break any password (or modified facsimile) found in a dictionary. Password guessing and dictionary attacks (cracking) are common ways of gaining unauthorized entry into networks, and even the best passwords can eventually be defeated mathematically, given enough time. The use of good passwords acts as a deterrent against password guessing and cracking attacks, and can make “brute force” attacks (see The Razorpoint Security Glossary) less successful. The following guidelines outline best practices when choosing, maintaining, and protecting your passwords: DO make sure your password is at least 8 characters long. DO use a password with mixed-case letters, numeric characters and punctuation (where supported by the operating system). Do not just capitalize the first letter, or add a number at the end. The more complex a password, the longer it will take to crack. DO use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your fingers while you type. This is known as “shoulder surfing.” (see The Razorpoint Security Glossary) DO change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows), the more frequently the password should be changed. This makes your password a “moving target” and makes cracking and brute force attacks less effective. Regular password changes can also stop continued access of an already compromised account. Change passwords at least every six months. DO try one of the following methods for password selection: Option 1: Explore using two words separated by a number or punctuation, like “Pro%F0otball” or “l|0n&dog” Option 2: Take a word and change the case on some of the letters. Then, either insert a letter or punctuation, or replace some letters with numbers or punctuation (but avoid common substitutions like a->4, I->1). Even better, use a combination of insert/replace: (Example: bomber -> b0mBer -> b0m&Ber -> %0m&Ber) Option 3: This may be the best option for creating a complex password without having to remember it. Start by choosing an area of the keyboard to use for your password. Next, decide on a pattern for the password. For example, take the upper-left quadrant of the keyboard and create two lines using 2ws3ed3e or, better yet, combine that sequence which shift characters to get 2ws#ED3e. With this method, you don’t have to memorize any passwords, you simply have to remember where the pattern starts on a keyboard. (note: It is a bad idea to use these exact examples as your password). ;^) DO NOT use the word “password” as your password, in any form (reversed, capitalized, or doubled). This is not a joke, people actually do this. DO NOT use a network login ID in any form (reversed, capitalized, or doubled) as a password. DO NOT use common names of people or places as a password. DO NOT use keys in a natural progression, like “QWERTY”, or “1234”, or “abcabc”, or “........” ™ May 1, 2006 Password Best Practices v1.5 Page 1 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
DO NOT use a word (forward or reversed) contained in English or foreign dictionaries, spelling lists, or other word lists. These types of passwords are among the easiest to crack. On a moderately fast computer, it is possible to crack a dictionary word-based password in seconds. It is important to remember that generally a computer is doing the guessing, not a human. A computer can be programmed to search through any list of words and try any algorithmic variation. The ways in which users choose passwords are well known to the authors of password cracking programs. DO NOT use words that are acronyms, technology terms, geographical locations or product names (dictionaries for these exist, too). DO NOT use a password of all numbers or alphabetic characters. Mix numbers, letters and punctuation (where supported by the operating system). DO NOT use a password that is simply a word either preceded or followed (or both) by a non-alphabetical character. DO NOT use passwords that match a dictionary word with common “number-for-letter” substitutions. (Examples: a->2, a->4, b->8, e->3, h->4, I->1, l->1, o->0, s->$, s->2, s->5, z->5, etc. as in: airplane -> 4irpl4ne -> 41rpl4ne -> 41rpl4n3) DO NOT use passwords that are words with vowels deleted, or are made lowercase then reflected. (Example: mechanic -> mchnc, or Super -> superrepus). DO NOT use information easily obtained about you. This includes your first, middle or last name in any form, your initials or any nicknames you may have, spouse or children’s names or birth dates, pet names, license plate numbers, telephone numbers, ID numbers, the brand of your automobile (or the one you wish you had), the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user. DO NOT – repeat – DO NOT write passwords on sticky notes, desk blotters, calendars, or store it under your keyboard, under your phone, or online where it can be accessed by others. This is one of the most frequent ways unscrupulous users gain unauthorized access to computer systems. DO NOT use passwords that are so complicated they have to be written down. See above. DO NOT use passwords that you have used in the past. DO NOT share passwords except in true emergency circumstances or when there is an overriding operational necessity. Be sure to change your password immediately after sharing. In an emergency situation, be absolutely certain to whom you are giving your password, and how it will be used. Getting someone to reveal a password by deceit or lying is called “Social Engineering” (see The Razorpoint Security Glossary) and can be very effective in gaining unauthorized access to computer systems. Under normal circumstances a password should never be shared, but if it is, change it immediately after usage. Password Examples Bad Passwords Description Good Passwords Description mypassword Two dictionary words together. T*x4$M8n 8 characters, uses numbers, punctuation, and upper and lower case letters. 1234567 Repeating sequence. j@T”Pl4Ne Two words, separated by punctuation, using upper and lower case letters, and numeric substitution. abcabc Repeating sequence. M0ca5V@ca8 Two nonsense words, upper and lowercase letters, and punctuation. h311o Less than 8 characters, and based on a dictionary word with common letter/number substitutions. 5tg^YH%TG Simple pattern that doesn’t require memorization. Not based on a dictionary work, uses upper and lower case letters, and punctuation. test1234 Very common test or default password. *RUF8ruf Another pattern with appropriate characters. admin Very common default password. gandalf1 Based on the name of a popular character. john4 Based on the user’s name, too short, no upper case or punctuation. ydnic Still a proper name (even though it’s backwards), too short, no upper case, numbers, or punctuation. PORSCHE911 Proper name, in the dictionary, no lower case, or punctuation. Pepsi21 Product name with numbers at the end. May 1, 2006 Password Best Practices v1.5 Page 2 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
Other Password Factoids: It is important to tailor your password to your system: • Most UNIX systems will only use the first eight characters of a password. Check your particular operating system. • Oracle applications such as LETS only allow $, _, and # as special characters. • UNIX passwords are case sensitive, so “password” is not the same as “PASSWORD”. Conversely, VMS passwords are not case sensitive, so “password” and “PASSWORD” are the same. • Use Secure Shell (SSH) (see: www.openssh.org) to avoid sending your password over a network as clear text. SSH encrypts username and password information before sending it over a network. Anytime you type your password to log in to another computer using telnet, ftp, rlogin, etc., your password can be stolen. Crackers can break into networks and steal your password using tools that “listen” for passwords. • If you suspect your password has been stolen, cracked or compromised in any way, change it immediately. For more information on appropriate password use and Internet security, please contact Razorpoint Security Technologies, Inc. at (www.razorpointsecurity.com). May 1, 2006 Password Best Practices v1.5 Page 3 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.

Recommended

ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Password hacking
Password hackingPassword hacking
Password hackingMr. FM
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Linguistic Passphrase Cracking
Linguistic Passphrase CrackingLinguistic Passphrase Cracking
Linguistic Passphrase CrackingPriyanka Aash
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITYRazorpoint Security
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy QueryGloria Stoilova
 

Recommended

ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Password hacking
Password hackingPassword hacking
Password hackingMr. FM
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Linguistic Passphrase Cracking
Linguistic Passphrase CrackingLinguistic Passphrase Cracking
Linguistic Passphrase CrackingPriyanka Aash
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITYRazorpoint Security
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy QueryGloria Stoilova
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurityricharddxd
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of passwordAlimasmali3
 
Password management
Password managementPassword management
Password managementWilmington University
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Mike Barker
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 
Level 3 lsr tech solutions password
Level 3 lsr tech solutions passwordLevel 3 lsr tech solutions password
Level 3 lsr tech solutions passwordjoeblow1234
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable passwordSafeSpaceOnline
 
Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwordsahyaimie
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Password management
Password managementPassword management
Password managementKaren F
 
Securing password
Securing passwordSecuring password
Securing passwordsplendorcollege
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of passwordMohammedAlhamoodi
 
1636
16361636
1636cvq
 
Protect Your Business With Web Security
Protect Your Business With Web SecurityProtect Your Business With Web Security
Protect Your Business With Web SecurityHarrison Kenyon Marketing
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Password Storage Explained
Password Storage ExplainedPassword Storage Explained
Password Storage Explainedjeetendra mandal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

More Related Content

Similar to PASSWORD BEST PRACTICES

Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurityricharddxd
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of passwordAlimasmali3
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Mike Barker
 
Level 3 lsr tech solutions password
Level 3 lsr tech solutions passwordLevel 3 lsr tech solutions password
Level 3 lsr tech solutions passwordjoeblow1234
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable passwordSafeSpaceOnline
 
Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwordsahyaimie
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Password management
Password managementPassword management
Password managementKaren F
 
1636
16361636
1636cvq
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Password Storage Explained
Password Storage ExplainedPassword Storage Explained
Password Storage Explainedjeetendra mandal
 

Similar to PASSWORD BEST PRACTICES (20)

Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
Password management
Password managementPassword management
Password management
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Level 3 lsr tech solutions password
Level 3 lsr tech solutions passwordLevel 3 lsr tech solutions password
Level 3 lsr tech solutions password
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable password
 
Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwords
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Password management
Password managementPassword management
Password management
 
Securing password
Securing passwordSecuring password
Securing password
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
1636
16361636
1636
 
Protect Your Business With Web Security
Protect Your Business With Web SecurityProtect Your Business With Web Security
Protect Your Business With Web Security
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password Storage Explained
Password Storage ExplainedPassword Storage Explained
Password Storage Explained
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

PASSWORD BEST PRACTICES

  • 1. Author: Razorpoint Security Team Version: 1.5 Date of current version: 2006-05/01 Date of original version: 2001-04/04 Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved. Password Best Practices ™ [ WHITE PAPER ]
  • 2. Password Best Practices One of the most overlooked areas of network security is the use of “good” passwords. Extreme care should be taken in choosing your password. If your password is easy to guess, someone may be able to access or steal your data, your money, or your identity. To protect your data, your network, and yourself to some degree, you must select good passwords and secure them carefully. Users are responsible for assisting in the protection of the systems they use. As an Internet security measure, computer and network passwords should be changed regularly. Additionally, the use of different passwords for different systems is recommended so that if an intruder cracks one password and gets into one computer, that same password won’t automatically allow access to other systems. Choosing good passwords can be thought of as more art than science. Criminal hackers (a.k.a. Crackers) have tools that can break any password (or modified facsimile) found in a dictionary. Password guessing and dictionary attacks (cracking) are common ways of gaining unauthorized entry into networks, and even the best passwords can eventually be defeated mathematically, given enough time. The use of good passwords acts as a deterrent against password guessing and cracking attacks, and can make “brute force” attacks (see The Razorpoint Security Glossary) less successful. The following guidelines outline best practices when choosing, maintaining, and protecting your passwords: DO make sure your password is at least 8 characters long. DO use a password with mixed-case letters, numeric characters and punctuation (where supported by the operating system). Do not just capitalize the first letter, or add a number at the end. The more complex a password, the longer it will take to crack. DO use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your fingers while you type. This is known as “shoulder surfing.” (see The Razorpoint Security Glossary) DO change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows), the more frequently the password should be changed. This makes your password a “moving target” and makes cracking and brute force attacks less effective. Regular password changes can also stop continued access of an already compromised account. Change passwords at least every six months. DO try one of the following methods for password selection: Option 1: Explore using two words separated by a number or punctuation, like “Pro%F0otball” or “l|0n&dog” Option 2: Take a word and change the case on some of the letters. Then, either insert a letter or punctuation, or replace some letters with numbers or punctuation (but avoid common substitutions like a->4, I->1). Even better, use a combination of insert/replace: (Example: bomber -> b0mBer -> b0m&Ber -> %0m&Ber) Option 3: This may be the best option for creating a complex password without having to remember it. Start by choosing an area of the keyboard to use for your password. Next, decide on a pattern for the password. For example, take the upper-left quadrant of the keyboard and create two lines using 2ws3ed3e or, better yet, combine that sequence which shift characters to get 2ws#ED3e. With this method, you don’t have to memorize any passwords, you simply have to remember where the pattern starts on a keyboard. (note: It is a bad idea to use these exact examples as your password). ;^) DO NOT use the word “password” as your password, in any form (reversed, capitalized, or doubled). This is not a joke, people actually do this. DO NOT use a network login ID in any form (reversed, capitalized, or doubled) as a password. DO NOT use common names of people or places as a password. DO NOT use keys in a natural progression, like “QWERTY”, or “1234”, or “abcabc”, or “........” ™ May 1, 2006 Password Best Practices v1.5 Page 1 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
  • 3. DO NOT use a word (forward or reversed) contained in English or foreign dictionaries, spelling lists, or other word lists. These types of passwords are among the easiest to crack. On a moderately fast computer, it is possible to crack a dictionary word-based password in seconds. It is important to remember that generally a computer is doing the guessing, not a human. A computer can be programmed to search through any list of words and try any algorithmic variation. The ways in which users choose passwords are well known to the authors of password cracking programs. DO NOT use words that are acronyms, technology terms, geographical locations or product names (dictionaries for these exist, too). DO NOT use a password of all numbers or alphabetic characters. Mix numbers, letters and punctuation (where supported by the operating system). DO NOT use a password that is simply a word either preceded or followed (or both) by a non-alphabetical character. DO NOT use passwords that match a dictionary word with common “number-for-letter” substitutions. (Examples: a->2, a->4, b->8, e->3, h->4, I->1, l->1, o->0, s->$, s->2, s->5, z->5, etc. as in: airplane -> 4irpl4ne -> 41rpl4ne -> 41rpl4n3) DO NOT use passwords that are words with vowels deleted, or are made lowercase then reflected. (Example: mechanic -> mchnc, or Super -> superrepus). DO NOT use information easily obtained about you. This includes your first, middle or last name in any form, your initials or any nicknames you may have, spouse or children’s names or birth dates, pet names, license plate numbers, telephone numbers, ID numbers, the brand of your automobile (or the one you wish you had), the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user. DO NOT – repeat – DO NOT write passwords on sticky notes, desk blotters, calendars, or store it under your keyboard, under your phone, or online where it can be accessed by others. This is one of the most frequent ways unscrupulous users gain unauthorized access to computer systems. DO NOT use passwords that are so complicated they have to be written down. See above. DO NOT use passwords that you have used in the past. DO NOT share passwords except in true emergency circumstances or when there is an overriding operational necessity. Be sure to change your password immediately after sharing. In an emergency situation, be absolutely certain to whom you are giving your password, and how it will be used. Getting someone to reveal a password by deceit or lying is called “Social Engineering” (see The Razorpoint Security Glossary) and can be very effective in gaining unauthorized access to computer systems. Under normal circumstances a password should never be shared, but if it is, change it immediately after usage. Password Examples Bad Passwords Description Good Passwords Description mypassword Two dictionary words together. T*x4$M8n 8 characters, uses numbers, punctuation, and upper and lower case letters. 1234567 Repeating sequence. j@T”Pl4Ne Two words, separated by punctuation, using upper and lower case letters, and numeric substitution. abcabc Repeating sequence. M0ca5V@ca8 Two nonsense words, upper and lowercase letters, and punctuation. h311o Less than 8 characters, and based on a dictionary word with common letter/number substitutions. 5tg^YH%TG Simple pattern that doesn’t require memorization. Not based on a dictionary work, uses upper and lower case letters, and punctuation. test1234 Very common test or default password. *RUF8ruf Another pattern with appropriate characters. admin Very common default password. gandalf1 Based on the name of a popular character. john4 Based on the user’s name, too short, no upper case or punctuation. ydnic Still a proper name (even though it’s backwards), too short, no upper case, numbers, or punctuation. PORSCHE911 Proper name, in the dictionary, no lower case, or punctuation. Pepsi21 Product name with numbers at the end. May 1, 2006 Password Best Practices v1.5 Page 2 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
  • 4. Other Password Factoids: It is important to tailor your password to your system: • Most UNIX systems will only use the first eight characters of a password. Check your particular operating system. • Oracle applications such as LETS only allow $, _, and # as special characters. • UNIX passwords are case sensitive, so “password” is not the same as “PASSWORD”. Conversely, VMS passwords are not case sensitive, so “password” and “PASSWORD” are the same. • Use Secure Shell (SSH) (see: www.openssh.org) to avoid sending your password over a network as clear text. SSH encrypts username and password information before sending it over a network. Anytime you type your password to log in to another computer using telnet, ftp, rlogin, etc., your password can be stolen. Crackers can break into networks and steal your password using tools that “listen” for passwords. • If you suspect your password has been stolen, cracked or compromised in any way, change it immediately. For more information on appropriate password use and Internet security, please contact Razorpoint Security Technologies, Inc. at (www.razorpointsecurity.com). May 1, 2006 Password Best Practices v1.5 Page 3 of 3 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.