The concept of having a password for any system is similar to a key for home. The key for home is essential in order to lock and protect personal belongings from others who are not authenticated or desired to enter home. Today, due to globalization and Internet revolution, a person may have several online properties or accounts that are as important as properties physically existing at home. Those may be e-mails, portal, website subscriptions, network servers, databases, online banking accounts, credit cards, etc. Strong passwords for these helps in having a secure and strong lock just like lock to home.
Most people, who are new to the online world, have lack of knowledge on setting up a strong password for their online accounts. But the increasing cyber crime can easily trace the passwords. And the results can be as terrible as the attack on Microsoft’s Hotmail and other web-based email services. A recent survey on these missing passwords revealed that many of the accounts had easy-to-guess passwords and the most frequently used password among these was “123456”.
Some general methods that attackers use for identifying a victim’s password include:
- Guessing—The attacker tries to log on using the user’s account repeatedly by guessing probable or expected words and phrases like their children’s names, their birth city, and local sports teams.
- Online Dictionary Attack—The attacker utilizes an automated program, which consists of a text file of many words. The program frequently tries to log on to the target system by testing a different word present in the text file on each attempt.
- Offline Dictionary Attack— It is similar to the online dictionary attack, the attacker extracts a copy of the file in which the hashed or encrypted copy of user accounts and passwords are saved and runs an automated program to find out what password is used for each account. This type of attack can be finished very quickly if the attacker gains a copy of the password file.
- Offline Brute Force Attack—This is a modified form of the dictionary attacks, and designed to discover passwords, which are not present or available in the text file used in those attacks. Even though a brute (very strong) force attack can be tried online, because of network bandwidth and latency they are generally attempted offline utilizing a copy of the target system’s password file. In a brute force attack, the attacker utilizes an automated program, which produces hashes or encrypted values for all possible passwords and analyzes them with the values in the password file.
Microsoft suggests that the use of strong passwords can slow or sometimes break the various attack methods. This shows the importance of having a strong password.
Creating a Strong password:
Passwords are case-sensitive and may be as long as 127 characters. A strong password:
- Should never consist of user name.
- Should be minimum of eight characters long.
- Should compulsorily include both lower case and uppercase alphabets (minimum one from each group is suggested).
- Should consist of minimum one number (0 to 9).
- Should consist of at least one symbol. (Eg: *, ^, $, #)
A string, which has all the above characteristics, is known as strong password. A complex password should not be something, which is difficult to remember. Forgetting a strong or complex password, which is difficult to remember, is as harmful as getting attacked by a weak password.
The password created must be easier to remember but difficult for anybody to guess. It can also be a favorite phrase or quotation or mixture of two words. Substitutes for alphabets can also be used to satisfy the above criteria for a strong password. For example ‘a’ in password can be substituted with ‘@’, similarly ‘i’ can be replaced with ‘!’; and ‘o’ with ‘0’ or ‘()’.
It is a good practice if password is changed periodically like monthly or quarterly.