How to make your easy to remember passwords less hackable (probably not a word)

A little news update if you haven't noticed.

1. Technology is growing faster and faster every year, so that means people are getting smarter and smarter. (Hackers are people too.).
2. As technology gets better, so do the programmers who create this technology and so the hackers.
3. Did you know that there are programs created just for the type passwords I mentioned above? Here are a few known hacks
   • Birthday Attack- named from a theory that out of a group of 23 people, there is a 50% chance 2 or more will share a birthday
   • Dictionary Attack - you guessed it, it uses words from the dictionary. It even has the option to append numbers. * I had a password of silver1979 after a coin I found.
4. Beware of those sites that ask TMI (Too Much Information). One site I created a account on asked those same questions that the bank asked (this draws a big red flag in my opinion). You know the questions I'm talking about. Whats your mothers maiden name? What was your first car? What high school did you attend? Keep in mind these are unrelated questions, but if this site and your bank site ask you the same questions; someone else knows those answers they can get your bank password as well!

Most sites require you to create a password with 6-8 letters. If they require stronger options, they will add a required capital letter, number, andor symbol.

Here are a few tips to keep your passwords safe and easy to remember.

I will keep these very simple, but feel free to combine any or all of them.

• Use your favorite whatever (team, name, holiday etc.) but add a number.

Ex. My favorite holiday is Independence Day (I won't share the reason) so a password for me could be 4thofJuly1994 or 7-Forth. Notice it's easy to remember and complex enough to beat an attack.

• Still use your childs name John and his year of birth. Don't do it the typical way, but like this; 19john89 or joHNjuly89. That way even in small talk you can say my password is my sons birthday. Even if someone was listening, they would still have a very hard time guessing your password.
• Capitalize any letter but the first in case sensitive passwords. I was guilty of this as well. If I had to create a password with a capital, I would just make the first letter capital of the same simple word.
• Don't use words “correctly”. As you may can tell from this article, my spelling sucks. If you spell a word wrong in your password who knows? and WHO CARES? The password is yours, not to be turned in for a grade!!! ex. PeeNuts.
• Use phrases or quotes you like; ex. Takes12know1, HapE2CU, NGodweTrust, cUl@er=see you later (I just thought of that!).
• Don't use the minimum amount of characters. Some sites have minimum password minimum lengths of 6-8 characters. In that case make your password 9 lettersdigits or more.
• Make your bank passwords different from your email passwords

Here's a short list of examples. Ask your children about funny ways to spell certain words. (I know most of you have seen the V-wireless commercial) “my BFFF Jill” Remember you want it complex, but you want to remember it also.

• cyNthia21- Combines a name with a significant day of the month
• Knock4Times- part of a phrase that was on a friends door
• 4thHourof24- time of day I was born
• SnoopPee- one of my favorite dogs. Note if you spell it incorrectly, only you will know!!
• Ih0p3Ulearned2day
• pa$$w0rds?
• A few common letternumber switches
  • One instead of L
  • Zero instead of O
  • 2 instead of "to" or "too"
  • 3 instead of E
  • 8 instead of ate
  • 4 instead of for
  • @ instead of "at" combination ex. B@ = Bat, C@ = cat, F@ = fat

Introduction

It would be nice to live in utopia, that ideal world where nobody was a villain and misdemeanors never occurred. Unfortunately for the majority of us residing back here on planet Earth, security breaches, compromises and issues are all too real and unpleasant facts of life. Regardless of our station in life somebody is always trying to get a free lunch at our expense or trying to take advantage of us in some other way.

This being said we need to identify the objectives, acceptable standards, policies and regulatory compliance requirements that our wireless network security should deliver as intended.

Wireless Networking Security Objectives Defined

It is widely recognized that the underlying themes of all network security, and not just the wireless components, should be such that they consistently ensure adherence to the principles expressed by the CIA of Security ethos. Simply put this means the planning, implementation and maintenance of organization/network-wide Confidentiality, Integrity and Authentication (CIA).

The implications of this are that only duly authenticated authorized users have full access to all of their allocated network resources, assets, capabilities, bandwidth and Quality of Service (QoS) in line with the appropriate user rights, permissions and privileges whilst maintaining full and comprehensive organization-wide network confidentiality and integrity. The trick is in doing so seamlessly and transparently to the user.

Strategies

The implementation of security strategies and solutions consisting of multiple layers of protection by incorporating and melding a blend of physical security, multiple layers of authentication, network monitoring, traffic flow control, firewalls, intrusion detection, intrusion prevention, surveillance, logging and log analysis, specialized software, hardware and complementary technologies are widely regarded to be the fundamental pillars upon which the preservation of rock solid security for networks is built.

Make no mistake about it, this holds true for wired and wireless networks alike. By employing a security-in-depth approach many exploits can be negated. An example of where multiple layers of authentication can return handsome dividends is in wireless network access.

First line of defense is network access and connectivity controls. Users should be required to provide valid current authentication credentials in order to begin to access the wireless network. The user's wireless adapters should also be required to authenticate themselves.

Machine authentication can be implemented by simply creating a Wireless Access Point (WAP) or wireless router MAC Address filter table. Devices lacking a qualified listed MAC Address will be automatically denied network access. This level access control actually precedes any user based authentication mechanisms since the MAC Address is contained in the Layer 2 header of every packet placed onto the network.

The next line in our defenses could involve additional authentication at various points throughout the network including transit beyond the local segment. For wireless networking components this can be most easily achieved by configuring dedicated wireless only network segments or through Virtual Local Area Network segmentation (VLANs) for wireless devices.

These specialized and segregated wireless networking segments can be placed into Demilitarized Zones (DMZs) for ease of administration. It is also advisable to make sure that they are on LAN segments physically independent of the rest of the network. Secondary user passwords or passphrases can be implemented at the application level as well.

Failure to incorporate a multi-layered approach makes the likelihood of successful intrusion far more likely. If all an attacker need do is to “crack” one password or passphrase then having gained access to a wireless network component without secondary authentication mechanisms in place you can safely assume that they will have also gained full access over your entire network. This means all assets and resources including those of the wired segments.

Wired and Wireless Issues

I will now cover the major issues and areas of concern pertaining to wireless network security. Please note that this list is not intended to be absolute nor complete. New exploits and threats arise every day. Hence I have elected to present and highlight here those areas representing the greatest concern and/or those areas most likely to present future new threats and exploits.

Many of the generic issues discussed below apply equally to wireless and wired networks alike. This is especially so when the device in question is a consumer class broadband modem/router. Both the wired and wireless versions will exhibit the same basic preconfigured functionalities and default manufacturer configurations. For example manufacturers tend to use the same default administrator name, administrator password and network names as well as enabling DHCP by default.

So let's get to it and as always security starts with the physical and wireless networking is no different.

Physical Security

There are many physical security related issues regarding wireless networking security including the physical security of the device itself (accidental loss theft etc), device naming and labeling conventions, physical accessibility (so critical for troubleshooting) coverage, Quality of Service (QoS), bandwidth, signal distortion, degradation and strength, device location, type of antennae and many more. If you would like to read more then check out Wireless Networking Physical Security.

Transmission Media

Because wireless networks use a public domain transmission medium, which is freely accessible to anyone with the right tools and desire, it is imperative that additional care and attention be paid to security aspects throughout the network's entire life cycle. So it is that the appropriate time for consideration of these initiatives to commence is at the very beginning of the network's life cycle during the technical requirements analysis and evaluation, planning and design stages. The process will be ongoing from there.

Documentation

Wireless device manufacturers usually provide the device's supporting documentation either on a disc bundled with the device or available for download from the manufacturer's website. In general, this documentation usually describes first steps/getting started, minimum requirements, preparation, installation, additional security procedures and finally troubleshooting and support.

Unfortunately, the vast majority of users will either ignore or skim over this information or anything else that is not pictorially depicted in the quick start guide. Let's face it these are the realities of our plug "n" play world. The device is working and I can use it; end of deal.

Plug "n" Play

The rise in popularity of wireless networks and technologies can in no small part be attributed to plug "n" play capabilities. On the one hand this is a boon for ease of connectivity, user friendliness and all-round ease of use. Yet it is these very aspects that make plug "n" play devices across the board so susceptible to subversion and compromise.

The problem with the default plug "n" play “silent install” approach to the installation and configuration of all devices (including wireless networking devices) is that in so far as network/device security is concerned it is no approach at all.

Manufacturer Defaults

Manufacturers preload their hardware with device specific software (firmware) and a basic configuration intended to get users up and running in the shortest possible time with minimal required user input.

Factory set default configurations, parameters, options and settings of most if not all devices are in the public domain. This is due to the fact that detailed and specific device defaults lists and documentation are generally freely available on the device manufacturer's website. They can also be found on a number of other third party websites.

The big difference between the documentation, resources and tutorials etc that are published on a manufacturer's website and those published on third party websites is that on the whole the third party sites tend not to confine their listings to only those devices manufactured by a single manufacturer. They also tend to reveal more of and about the inherent flaws and potential exploits of a device that a manufacturer would prefer to “overlook”. You might say that they are a one-stop-shop.

War Driving and Wireless Network Hacking

While most of us have heard of hacking the practice of “war driving” is not so well known. So for the benefit of one and all war driving is the practice of cruising around with a wireless enabled laptop complete with a plethora of wireless networking detection and cracking tools. Many war drivers even make use of GPS to physically locate with pin-point accuracy the precise locations of any wireless networks detected.

The major distinction between the two is that war driving is all about discovering the existence of wireless networks. Hacking wireless networks on the other hand is about cracking/breaking into those wireless networks discovered through war driving or any other means such packet sniffing.

In short, the hacking of wireless networks is all about gaining access to a network whilst not being a legitimate bone fide network user with authentic access privileges and rights. This does not infer in any way that a would-be intruder is implicitly malevolent.

For example, legitimate, authorized and authentic security staff conducting site surveys, penetration testing or network preparedness assessments usually do not have “evil” intent. Still others may be attempting to access your wireless network for the thrill of it simply because it's there.

Note that the tools used for war driving and standard wireless hacking purposes are generally the same. In addition, these tools are freely available for download via the Internet usually in the form of self extracting automatic installation packages or user installable software.

What many may not realize is the degree of user friendly sophistication and capabilities that these tools have attained over the years of their existence and development. So it is that in today's wireless networking climate we must assume that attackers are by default armed with these tools. With this in mind we can construct our defenses in a manner best suited to counteracting a multiplicity of threats originating from all angles.

Conclusion

In combination a device's factory defaults and plug "n" play silent installation and setup provide a very user friendly, fast and convenient method to get a device up and running. Yet it is these very same default factory/plug "n" play device parameters, default configuration settings and behaviors that make wireless networks and wireless devices installed in this way without any further user/administrator interaction particularly inherently susceptible to compromise.

Therefore, immediately after the initial setup and installation has completed successfully the first security tasks that you should religiously attend to are the modification and/or customization of the basic manufacturer factory default settings, administrator names, passwords and configurations.

It appeared to be from my bank. It was from their national headquarters rather than from my local branch. They asked me to verify my name, my address and phone number. They then asked me to change my pass phrase for the Internet access. They said it should be changed every few months to prevent others from accessing my banking information. They asked me to type in my account log on word plus my current password. Then, they asked me to type in a new password of eight characters including at least one numeric character. After I put on the information and pressed “Send”, I received a new email response thanking me for updating my information. A note said that the new password would be activated at the end of the business day.

Relieved, I recorded the new password on my personal records so I would not forget it. I did not try to use the new password until the next day.

When I checked my online account balance the next day, I was horrified. First of all, the new password did not work. I decided to go back to the old password. The account opened and showed an account balance which was much lower than I expected. When I checked the detailed daily record of the account, I saw that someone had withdrawn several hundred dollars from my account.

Rather than sending an email, I went to my local bank branch to complain. They said it was probably a scam email that I had responded to. They told me that their bank never sends emails of that type. They allowed me to use a computer in their office to log into my email account. In the "trash" folder, I found the email that I had responded to. In the "sent" folder was a copy of the information that I had sent the day before.

The officer in the bank pointed out to me that the return address on the email was not to their bank but to a strange-looking email address, one that I had never seen before. They had me fill out a report of the scam that had sucked me in although they told me that it was unlikely that the culprit would be discovered as he probably changed to another email address overnight.

I write this to offer suggestions to other people who receive emails from their banks. You should check the email address the sender used. Also, you should contact your bank rather than respond to an email. If the bank wants new and updated information about you, you should provide it in their office instead of in an email.

I have recently noticed that my "spam" folder of my email account sometimes has emails from many banks, not just the bank where I have an account. It appears that the phisher, the person who is trying to get people to do stupid things such as I did, uses many bank names in hopes of finding people who have accounts in those banks. This technique used by unscrupulous people is referred to as phishing. They are sending out thousands of emails and expect some people to fall for the scam, just as I did.

Here is how to protect al your computer with passwords so you are the ONLY person that can see whats inside your personal files.

1. Make a strong password for Windows Log On Screen

   Make it with letters and number and at least 14 characters long. Think of some dates and makes and mix them so you will remember it easily. A large array o computers trying to break it by inserting 1 milllion combinations per second will take at least 100 million years to break such password. This is official information from a software called Steganos Safe.

2. Encrypt your hard disk so you will know all your files will be much harder to be cracked by an hacker

   Windows already has this feature so use it! If you don't like this Windows feature you can always get

3. Word Documents can be saved with a password

   This ensures you are the only one reading it even if someone steals the file.

4. Winzip all the files you don't use so often and put a password on the zip file

   Use only a professsional desktop search program that supports passwords and secure encryption or you risk having your entire life read on the Internet!

5. Use a master password in your Firefox browser so you will have to insert that password before logging to any website

   This way if someone touches your browser while you are away he or she cannot access any private website!

If you use your computer or laptop without any kind of password do you know what can happen? Here is a real scenario. You go to a cafe and you leave your computer on to pay the coffee. When you return you see that someone just stole your computer. Since you don't have any kind of password the thief can easily see what kind of work you do, he can see who you are since you saved all your photos inside your computer. It can see where you live because you have your personal info in some .doc file, he can access your bank accout because have the password number on a file and finally he has full control over you!

Think twice if you are still using your computer with no passwords.

Over the course of the next few days I will be presenting a series of articles dealing with the many and varied aspects, concerns, issues, strategies, policies, threats and countermeasures that constitute password security.

Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.

Honesty - Being True to Yourself

If you are not going to assess your current password security status honestly then do not even bother. You will probably just waste a whole pile of blood sweat and tears on useless ineffective time consuming misdirected and most definitely misguided pies in the sky.

The type of honesty that I refer to is the kind of honesty that is so necessary to a realistic and accurate assessment of your current password security status. Assess yourself honestly. You do not have to let anyone else know the details of your dirty laundry.

So please, do yourself a favor and do this right. For, only after appraising your current password security status will you be able to identify areas of weakness that need prompt attention.

Hard Password Copies (Paper)

Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk. The locks on most desks are merely a trivial inconvenience to those with a little know how.

An envelope opener and a matter of five to ten seconds tops is usually all that it takes to open the majority of desk drawers. Failing to lockup your desk compounds the crime. It may save damage to your desks lock but will do nothing to save your password hard copy.

Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor. It is a very bad idea. Leaving a hard copy of your logon and password details in open public view is worse. Then again, the practice of writing your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor is probably the worst of all.

Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive issues facing security on an ongoing basis. It is no secret that over the years, post-it-notes along with other password hard copies have provided a profitable source of information to would be password attackers.

Recommended countermeasures concerning practices relating to hard copies of passwords and other authentication credentials should not be necessary since the best advice of all is that you should never maintain a hard copy of authentication details period.

Electronic, Magnetic and Optical Password Copies

While not as risky as maintaining hard copies of your authentication details considerable care needs to be taken when storing electronic, magnetic or optical copies of this information. You should always encrypt authentication data when storing it in an electronic, magnetic or optical format.

As with paper hard copies, any physical copy of any data is liable to additional risk of theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC to big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together.

Recommendations to help protect the electronic, magnetic and optical physical copies of your data will always begin with physical security measures such as using data vaults, lock and key and off-site storage etc. You should also only store this information in an encrypted format to increase your data protection strategies. Password locking files is also important.

Security-In-Depth

Using a security-in-depth strategy entails the implementation of more than one mechanism in your defenses. You can build defenses based around password authentication to open a channel after which you use additional passwords to gain additional access privileges.

Here is an example to illustrate the security-in-depth approach using password authentication systems. You log onto the network using one password, which in association with your logon user name will, once authenticated, allow you access to basic network assets, services and resources.

If some time later you need access to a resource requiring a higher privilege level, such as a database, you may need to supply another user name with a different password. In this way, we now have a two-tiered hierarchy of access privileges to specific resources. Still password-based but immeasurably more secure than just a one password accesses all system provides.

Now suppose you wish to gain access to sensitive information held within that database. In which case, you will need to supply another different user name and password. A third layer of password protection access has now taken place.

Your level of security has increased yet again and the best bit is that it is not going to cost you anything. Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.

A classic example of this would be your email account. Your operating system will supply the first password protected authentication level at logon. Your email service provider will require another password protected authentication when you wish to check your email.

WARNING: A word of caution however, most email password authentication processes occur unencrypted which is a very bad idea. Anybody with a “packet sniffer” utility can capture the traffic and view it in plain text at their leisure.

To overcome this you can configure more secure communications channels of use multifactor authentication systems, which I do recommend. They will be the topic of my next article.

Conclusions

NEVER disclose account information such as logon names and passwords. At all times and under all circumstances you must ensure that this type of information (authorization credentials) remains known only to your security, administration and support personal and then only on a need to know basis.

NEVER keep hard copies of passwords and other authentication details. It is a practice wrought with danger.

ALWAYS store data in an encrypted format

ALWAYS afford authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network

ALWAYS implement multiple layers of password-protected authentication. A security-in-depth approach is applicable to practically every system with a little careful planning.

Until next time when I will discuss multifactor authentication systems, enjoy!

I know from my own personal experience that when it comes to the crunch all the good password and pass phrase ideas just seem to evaporate. When I asked what OS the users were primarily using my friend replied Windows XP Pro at work and some used Windows XP Home on the road and at home.

I asked had they thought of using the Windows XP automatic password generation and assignment feature. When informed that they did not even know that on existed I explained how it worked. While showing them how this feature of Windows XP worked it occurred to me, that it would be highly likely that a whole bunch of other people would be interested and so I am writing this tip.

Point to note here is that the passwords that Windows XP (all flavors) generates are strong and secure. They may not however be as easy to remember as the normal loose and often personally related passwords that users tend to pick. No family names, birth dates etc.

This process is compatible with Windows domains, stand-alone machines and peer-to-peer workgroup scenarios. They are not necessarily easy to remember so it is a good idea to pay very careful attention during the process. I will also show you how to create a password reset disk just to be on the safe side.

Open a command prompt and key in the following:

net user username /random (where username is your login account name)

Once done press [ENTER]

Windows XP will now automatically generate and apply a strong, secure and randomly selected password to the nominated account. Windows XP will also display the password so you can take careful note in order to remember it.

At this point, you may wish to create a password reset disk in the event that you forget your password. I advise using the Prevent A Forgotten Password Wizard to do this. To activate the wizard do the following:

• Open Control Panel
• Double-click the User Accounts tool
• Click your account icon (the one you just used to create the automatically generated and assigned password)
• Under Related Tasks, select Prevent A Forgotten Password
• Now follow the wizard's instructions

Do not forget to store this disc in a location where it is both handy and free from tampering or unauthorized access.

I recommend that you teach your users this procedure and make them responsible for the generation, storage and maintenance of their individual recovery Prevent A Forgotten Password disks as well. After all, it is their account.

Until next time, enjoy!

function randomPassword ($passwordLength = 10) { // First we start with an empth password $randPassword = ''; // Then we say which characters we want to have in the random password $allowedCharacters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; // We add the desired number of characters to the password for ($i=0; $i < $passwordLength; $i++) { // We randomly choose a new character $character = substr($allowedCharacters, mt_rand(0, strlen($allowedCharacters)-1), 1); // And add it to the randmom password $randPassword .= $character; } // Simply return the generated password and DONE return $randPassword; } ?>

And this is how it is being used.

Save the function in a file and call it password.php

Then in the same folder create a file and call it passwordtest.php

In the file password test write the following code

include('password.php'); echo "A random password with default length: "; echo randomPassword(); echo "
A random password with a length of 6 characters: "; echo randomPassword(6); ?>

Hope you can use this function.

• Password1
• Abc123
• Myspace1
• Password
• Blink182
• Qwerty1
• Fuckyou
• 123abc
• Baseball1
• Football
• 123456
• Soccer
• Moneky1
• Liverpool1
• Princess1
• Jordan23
• Slipknot1
• Superman1
• Iloveyou1
• Monkey

I recommend to not use these passwords. I also recommend not to use your personal information, music bands, magazines or anything other what you like.

Most people use simple to remember words, this is NO GOOD please don’t have your password as something like apple or cherry, it’s really not good.

Password brutes, this is a term I use to software that brute force their way through your password, you see the software as a dictionary built in with hundreds and hundreds of words, the software then goes through the list hammering the words into your site trying to find the right one, if you use a simple word in the dictionary this software will find your password no match.

Other ways that people can access your password is simple, did you know that hundreds even millions of computer users use a password that is in front of them such as packardbell or tiny, Philips the list does go on, please don’t use this method anything you see infront of you and use as a password some one could figure this out and try it.

Now the important bit creating a password think of something you can easily remember a good way to start is maybe the place you work mixed with a set of numbers like your birthday and then to finally add more security a symbol (please note that some passwords do not allow symbols if they don’t skip the symbol)

Example

Wool23worths06% < that is a good strong password that would be very hard to figure out

2h3m06£v1984 < another good strong password

These two are just examples but if you try something like this people will find it very hard to access your information hoped this helped.