This guide is aimed at absolute beginners. If you are a pro then you'll not be benefiting much from it. However that shouldn't prevent you from reading it.Perhaps you may get to learn something new.
Password security is one of the main concern of computer users. People use passwords for everything from logging in to the computer, using e-mails, online bank accounts and accessing forums
A simple username-password is one of the most common schemes of authentication i.e they help to verify your identity. It's such a simple scheme that every computer user is prone to identity theft i.e if someone gets hold of yor password then they can easily access your accounts.
In this document I'll try to teach you some methods to make strong and secure passwords.
While teaching methods to effectively secure your passwords I'll also try to discuss some(read, not all) methods of how they are cracked/stolen.
Passwords can be of the following types:-
1: All letters
2: All numbers
3: All special characters
4: Combination of letters and numbers
5: Combination of numbers and special characters
6: Combination of letters and special characters
7: Combination of letters, numbers and special characters.
8: Another category which actually is the sub-category of letters and used in this forum is using a combination of uppercase and lowercase letters along with numbers and special characters.
The most common ways in which passwords can be stolen are:-
A: Dictionary attack
B: Brute force attack
C: Hybrid attack
D: Password guessing
E: Keylogging
PASSWORD GUESSINGpassword guessing is simply when an attacker tries to guess your password. Most of the users make the mistake of using their D.O.B, their family members' name, their phone no. or other personal info. as passwords. Attacker knows all of this and tries to guess your password. It seems easy but is very effective in case of weak passwords.
DICTIONARY ATTACKDictionary Attack uses a dictionary. Password Crackers will try every word from the dictionary as a password. A good dictionary (also known as a word list) is more than just a dictionary, e.g. you will not find the word "qwerty" in the ordinary dictionary but it will surely be included into a good word list. Indeed, this combination of characters is commonly used as a password.
(Definition borrowed from lastbit.com)
BRUTE FORCE ATTACKBrute Force Attack is the most widely known password cracking method. This attack simply tries to use every possible character combination as a password. To recover a one-character password it is enough to try 26 combinations (‘a’ to ‘z’).
(Definition borrowed from lastbit.com)
HYBRID ATTACKIn this case, the password cracker checks all words in the dictionary along with its variations. These can be, for example, the same words with different digits appended to them.
(Definition borrowed from lastbit.com)
KEYLOGGINGKey logger is a software or a hardware that records every keystroke that a user types on his keyboard.
This is a good link if you want to learn about the common password cracking methods.
http://lastbit.com/password-recovery-methods.aspNow let's discuss some methods of securing your passwords:-A: Never use personal info. like you name, D.O.B etc as passwords.Attacker knows all of this and password guessing is usually the first step he would perform. Furthermore, a simple name can be easily brute forced.
B: Never use common words like starwars, dexter etc. as your passwords. Dictionaries in the dictionary attack are wiser than you think
C: A good password should be a combination of letters, no. and special characters. You can go ahead with a combination of uppercase and lowercase letters, no. and special characters. This makes it very difficult to bruteforce. To give you an idea of how much time it takes to brute force a password read this:
http://lastbit.com/rm_bruteforce.aspD: good password should have at least 8 characters to make it very difficult to brute force as you read above.
E: To protect yourself from keyloggers read my guide on how to protect your computer(I'll be posting it in some days). You can go ahead and use an anti-keyloggers.
ZEMANA ANTILOGGER is a good anti-keylogger
F: Make a policy to change your passwords regularly-like every fortnight or every month. This gives less time to the attacker to crack your passwords.
G: Some people often make the mistake of keeping their passwords written in random papers and leave it on their desk etc. Never do this. Anyone can get hold of your passwords and access your acconts.
There are several tested ways to make secure passwords. I discuss some of them here.A:
Phrase alter ruleI just came up with this name to explain you. So you won't be hearing this rule name anywhere else but you would be stumbling upon this method very often.
Suppose you took the first two lines of the Christmas song or any other sng you want(Enrique's my favorite
)
Jingle Bell Jingle Bell Jingle All The WayCarry the first letters of each word and write it in capital
JBJBJATWNow alter every second letter to small letters.
JbJbJaTw
Now use 6 for every b and @ for a
Therefore your new password is:
J6J6@TwSimple isn't it?
B: Phrase alter plus ruleThis is just my modified version of phrase alter rule.
Instead of using songs I use a common word and the application name for which I want to use my password.
So suppose I want to make a password for linux. I would use my username(Xen in this case)and Linux and come up with a string:
XEN_LINUXThis string already has a special character( _ ) but that's not enough. I'll again alter every second letter to smaller case.
XeN_lInUx
Now every vowel is changed to @ and any one of the letter converted to a number (In this case I change l to 1)
Therefore the new password is:
XeN_1@n@xThis is nothing but an eg. to give you an idea how you can change the Phrase Alter Rule to suit your own needs.
C:Long phrase ruleIt's the easiest rule.No special characters or numbers required. All you have to do is use a very long phrase as your password.
So I choose:
When in rome do as the romans doThe length of the string makes it very difficult to crack and it's very easy to remember.
Programming : Newbie here
Editor-In-Chief : Free Webcast: Don't Pick the Lock, Steal the Key - PW Auditing with Metasploit
Links to cool sites. : Ninja-Sec Challenge You !
Tools : Nmap 6 Released
Links to cool sites. : CODENAME: Samurai Skills Review at Darknet
