ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  Simple Things to Improve Your System's Security
Subject:   Secure Passwords.
Date:   2002-11-04 18:19:19
From:   anonymous2
I'm not quite sure why people seem to skip this tip over, in my experience.


I've noticed that people tend to choose passwords like jmnd78cb4092x or sdto098243609vcan and consider this to be very secure. It's much more secure than johnnybgood, but you can easily do better.


Add one single punctuation mark to your password. like an exclamation point at the end.


Which password is more secure: "jmnd78cb4092xsdto098243609vcan" or "johhnyb!good"?


Most analysts will tell you that the first password is more secure. But this us usually not the case.


Most people choose passwords that contain only letters and numbers. Therefore, most hackers only try to brute-force (and, for that matter, use dictionary or hybrid attacks) agains passwords contianing only A-Z, a-z, and 0-9. To include punctuation is usually a waste of time, and greatly increases cracking time, so it's usually disabled by default.


This means that an attacker will try to attack your password with every A-Z, a-z, and 0-9 combination possible before failing (QUITE some time later). Only then will they try adding punctuation.


Of course, you can never have a password TOO secure, so long as you can remember it. My password on the systems I admin is a 35-char random jumble of symbols including A-Z, a-z, 0-9, and several types of punctuation symbols (yes, I can remember it all). You're better off going after my SSH server's 2048-bit RSA private key than my password.