Techniques for strong passwords

Password security
While technology opens new doors for convenience and communication, it also allows for breakthroughs in hacking methods. Most people don't take password security seriously, and many are paying the price by unwittingly revealing their private information and allowing hackers to access proprietary systems.

Hackers, or "crackers" as they are also commonly referred to, target personal passwords to gain access to restricted information. They use special password-cracking software to guess passwords. Many of these programs are freely available over the Internet, and can be run remotely.

 
Who is vulnerable?
Both home and small business users are at risk. Home PC users enter passwords when accessing web sites to perform personal business transactions, such as banking and online shopping. Without proper password management, they make themselves easy targets for hackers.

Remote users and those on home and small-business networks not only allow hackers to intercept their passwords, they allow access to entire networks of private business information. Everyone must take responsibility for creating strong passwords and safeguarding them. A good password is private (known only by you), easily remembered, not easily guessed, and is not written down.

How password-cracking programs work
Password-cracking programs work by extracting passwords from a server's system registry, from an emergency repair disk, or by intercepting passwords sent over a network. When a consumer signs onto Internet sites and enters their password, it can be caught by a packet sniffer or Trojan horse program. Unlike a sign-in session, a browser sends the password every time it fetches a protected document from a server. This makes it even easier for a hacker to intercept the data. The hacker can then use the password to compromise the user's personal information or to gain access to any resources tied to that password.

Cracking techniques
When a hacker wants to gain access to a network resource, the easiest way is to figure out the password of a valid user. Hackers use specialized software to attempt to discover passwords. The most common type of attack is called a "dictionary attack." A dictionary attack uses a large list of words and tries each of them until an accepted password is found. They start with obvious or weak choices such as names and nouns, and then move on to word lists, combinations, and hybrids of the words.

Other ways hackers obtain passwords are to install software on a computer to record its keystrokes, or simply by watching as a user enters their password. Therefore, it's important to be aware of who has physical access to a PC and how openly users sign onto the computer. It's also imperative to maintain a secure computing system by installing and upgrading anti-virus and firewall software in case a password breech occurs. AT&T Internet Security Suite - powered by McAfee offers comprehensive protection.

Cracking encrypted passwords
Even encrypted passwords are vulnerable to cracking. Encryption can be done using keys or a hashing algorithm. If a password is encrypted with a key, the hacker needs to obtain the proper key in order to decrypt it. Unix and Windows passwords are instead commonly encrypted as a hash. A hash is a mathematically derived string that is an alias for the text.

To break a hash, the cracking program encrypts two strings and compares them to see if they're the same in encrypted form. With a dictionary attack on a hash-encrypted password, the program iterates through the word lists, and compares the hashes until a match is found. The difficulty in cracking the hash depends on the strength of the algorithm initially used to encrypt the password.

Small businesses are especially vulnerable to this type of attack. They must protect themselves by securing data on their servers with strong encryption, and by limiting physical access to prevent someone from installing a keyboard monitoring program or stealing registry files. It's important to keep servers patched, and to have a strong firewall protection such as the AT&T Internet Security Suite - powered by McAfee. Businesses must also warn employees and customers not to download suspicious files, which can contain a keystroke-recording worm.

How users can protect themselves
The more difficult a password is to guess, the more secure it will be. For example, if you choose a one-character password that can be any upper- or lower-case letter or a digit, there are 62 possibilities. A cracking program can guess it very quickly. Using the same possible characters, an eight-digit password has about 218 trillion possibilities. Unfortunately, people generally put the odds in the program's favor by choosing easily-guessed combinations. Therefore, security specialists recommend these guidelines:

• Use as many characters as possible (minimum six)
• Include uppercase and lowercase letters
• Include digits and punctuation marks
• Don't use personal information, such as names or birthdays
• Don't use words found in a dictionary

 Techniques for strong passwords:

• Use a vanity license plate; for example: GR8way2B
• Use several small words with punctuation marks: betty,boop$car
• Put punctuation in the middle of a word: Roos%velt
• Use an unusual way of contracting a word: ppcrnbll
• Use the first letter of each word in a phrase, with a random number:  hard to crack this password = htc5tp

 
Unfortunately, no matter how strong, a password can be figured out eventually. Therefore, never share your password, change it regularly, never use the same password twice, and do not write down passwords in an obvious place. By securing your systems, creating strong passwords, and following safeguarding techniques, you, your computer, and your identity can be much more secure.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. (c) 2006 McAfee, Inc. All rights reserved.