N-1-1-040.33 Passwords, Our Keys to the Network by Jeffrey I. Schiller* Perhaps one of the most useful doors that crackers are finding open on the Internet today are the passwords of others. For most users, passwords are the way that they prove their identity to computers on the network, and the way that crackers forge their identity in order to break in. The road to better security on the Internet starts with good password choices. By definition a good password is one that is easy for you to remember, but difficult for anyone else to guess. You want it to be easy to remember, so that you don't need to resort to writing it down. It should be obvious why you don't want others to guess it! Here are some guidelines to help you choose a good password (from the Site Security Policy Handbook (FYI 8, RFC 1244): DON'T use your login name in any form. DON'T use your first, middle, or last name in any form. DON'T use your spouse's or child's name. DON'T use other information easily obtained about you (like license plate numbers, telephone numbers etc.). DON'T use a password which is all digits, or all the same letter. DON'T use a word found in a dictionary (of any language!). DO use a password with mixed-case alphabetics (if your system allows it). DO use a password with non-alphabetic characters (digits or punctuation). DO use a password that is easy to remember. DO use a password that you can type quickly, without having to look at the keyboard. You should also change your password frequently. Just in case your password has been compromised by an intruder, changing it will probably lock them out. If your password grants access to sensitive information, you also need to consider if crackers are attempting computational attacks. These attacks, typically done offline using information already obtained from your system, for example a password file, may take weeks to succeed. However if you change your password before the offline attack completes, you have won! System Administrators may wish to check the quality of the passwords that their user community are using. Several programs exist, depending on the type of computer system you have, that allow you, the System Administrator, to attempt to "crack" your users passwords. In this fashion you can warn those who have poor passwords. Some programs can even be put in place that disallow the selection of a password which fails to meet some or all of the guidelines given above. A good source of information on this and other security related topics is FYI 8, RFC1244, "The Site Security Policy Handbook". This document, available free from distribution sites around the Internet, is a valuable source of information and references to other security related works. In future issues we will discuss other Internet security issues, like protecting passwords as the traverse the network. *MIT Network Manager, Massachusetts Institute of Technology