|
|
|
|
|
|
|
|
Internet & Network Security
|
|
"Cyberspace, in its present condition, has a lot in common
with the 19th Century West. It is vast, unmapped, culturally
and legally ambiguous, verbally terse (unless you happen to
be a court stenographer), hard to get around in, and up for
grabs. Large institutions already claim to own the place,
but most of the actual natives are solitary and independent,
sometimes to the point of sociopathy. It is, of course, a
perfect breeding ground for both outlaws and new ideas about
liberty."
- John Perry Barlow, Crime and Puzzlement
I would love to tell you that the Internet is a safe place and that
there is no reason for you to protect your password. Unfortunately,
there are a LOT of people out there who would LOVE to break into
your account and use your account as a base for operations.
How prevalent is this? According to Mike Godwin, Chief Legal Counsel
for the Electronic Frontier Foundation, it's "fairly common."
The main defense against people who want to break into your account -
a.k.a. "hackers/crackers" - is your password. Keep your password secure, and
you should never have anything to worry about. Give your password to
others, or write your password down and put it near your computer,
and ... well, you get the picture.
|
Do and Don't of Managing Your Password
|
|
There are some key points you need to remember to protect yourself and
your account. If you take a close look at following "do and don't,",
they are basically flatout a good common sense.
(However, we're living in an era when a "good" common sense
becomes a rare commodity)
Remember, "security" means preventive
proactiveness, and you should never be confused it with
"scooping aftermath."
-
NEVER give your password to *ANYONE*
|
-
The whole purpose of having a password in the first place is to ensure that
*NO ONE* other than you can use your account.
NEVER write your password down
|
-
Especially never write your password anywhere near your computer.
NEVER let anyone look over your shoulder
when you enter your password
|
-
"Shoulder surfing" is the most common way
that accounts are hacked. Here's a common sense
password etiquette you may take a look.
NEVER e-mail your password to anyone
|
-
Sounds so evident however you'd be really surprised
to find out how many people completely disregard the
security when e-mailing. Remember, your e-mail is by nature
a unencrypted, text file that anyone can read if
one can get a hold on yours.
DO change your password on a regular basis
|
-
There is no better way to thwart a would-be hacker/cracker than to
change your password as often as possible. Your system administrator
should be able to tell you your system's recommendation on how often you
should change your password, but a good rule of thumb is to change it at
least every three to six months. (I do agree with you on that this is such a
hassle, however)
DON'T pick a password that is found in the dictionary
|
-
When you set your password, it is encrypted and stored into a file.
It is really easy for a "hacker/cracker" to find your password by encrypting every word
in the dictionary, and then looking for a match between the words in
his encrypted dictionary and your encrypted password. If he finds a match,
he has your password and can start using your account at will.
NEVER use your user id as your password
|
-
This is the easiest password to crack. Yet sounds unbelievable, quite
number of users are still doing it. If you're one of them, change your
password right now!
DON'T choose a password that relates to you personally
or that can easily be tied to you
|
-
Some good examples of BAD
passwords are: your name, your wife/husband/sons/daughters' names, your
relatives' names, your dogs/cats/pets' names, nicknames, birthdates,
license plate numbers, social security numbers, work ID numbers, and
telephone numbers. No, this is about neither dealing with an espionage
case nor getting "eternally" paranoid. It is just a good common sense!
DON'T use passwords that are foreign words
|
-
The hacker can get a foreign dictionary, and ...
DO use a password that is at least . . .
|
-
eight characters long and that has a mix of letters and numbers.
The minimum length of a password should be no shorter than
six characters long.
NEVER use the same password on different systems or accounts
|
-
Another common mistake that we all make.
Think why you're using a password in the first place.
ALWAYS be especially careful when you telnet or rlogin . . .
|
-
to access another computer over the Net. When you telnet or
rlogin, your system sends your password in plain text
over the Net. Some crackers have planted programs ("snoopers")
on Internet gateways for the purpose of finding and stealing
these passwords. If you have to telnet frequently, change
your password just as frequently. If you only telnet
occasionally, say, for a conference trip out of state/oversea, set up a new
password (or even a new account) just for the trip. When
you return, change that password (or close out that account).
|
Techniques for Generating "Good" Passwords
|
|
Never trust anybody who says "Trust me." Except just this once, of course.
- John Varley
The best passwords - the ones that are the easiest for you to
remember, and the ones that are the hardest for crackers to crack -
are passwords that are like those fake words you used to create when
you would cram for a test.
For example, to remember that "the Law of Demand is the inverse
relationship between price and quantity demanded," I created the
word tLoDitirbp&qd. No one could hack that
as a password. Best of all, it is EASY to remember (well, its easy
for an Economist to remember).
Here an example for generating good passwords:
-
Sentence |
Possible password |
a big fat Pig would have 9 wings |
abfPwh9w |
In 1995 we had SNOW in Norfolk |
I95whSiN |
he got 12,000 dollars from lottery, NOT! |
hg12KflN! |
|
Sentences are easy to remember, and they make passwords that are nearly
impossible to break (and please do NOT use these sample passwords as
your own password).
If you notice weird things happening with your account:
- Change your password IMMEDIATELY!
- Let your system administrator know about it.
It is very common for someone, whose account has been hacked, to
dismiss the signs as technical problems with the system.
If your account has been hacked AND if you don't take any
measure immediately,
not only will they have access to your personal files
- delete all your files, modify important data, read your
private correspondence, and send mail out in your name -,
it very often puts the security of the entire system at risk.
|
|
|