Many systems and services have been successfully broken down due to the use of  small, insecure and inadequate passwords. Some viruses and worms have exploited systems by guessing weak passwords. There are various softwares out there to Crack and Guess your password within Fraction of Seconds !!

Here I would like to take you thru some of the tips and tricks to choose a good password and how to protect it !!

How do you choose a good password?

We choose our passwords as the string of characters based on our personal information and of course that’s easy to remember.  However, that also makes it easier for an attacker to guess or “crack” them. Consider a four-digit PIN number. Do you know how easy it is to generate the combination matrix for a 4 Digit Number ?

Is that number is a sequential combination of the month, day, or year of your birthday?

Or the last four digits of your vehicle registration number?

Or your address … phone number?

Think about how easily it is to find this information out about somebody.

What about the email password…  is it a word that can be found in the dictionary? If so, it is easy to gain information thru ”dictionary” attacks, which attempt to guess passwords based on words in the dictionary.

Although intentionally misspelling a word (“daytt” instead of “date”) may hold some protection against dictionary attacks.  Better method is to choose a series of words and use some memory techniques. This will help to remember for decoding it back !  

For example, instead of the password “hoops,”

We can use “IlTpbb”for “[I] [l]ike [T]o [p]lay [b]asket[b]all.”

Using both lowercase and capital letters adds another layer of obscurity.

Your best defense, though, is to use a combination of numbers, special characters, and both lowercase and capital letters.

Change the same example
we used above to “Il!2pBb.” and see how much more complicated it has become just by adding numbers and special characters.

Longer passwords are more secure than shorter ones because there are more characters to guess, so consider using passphrases when you can.

For example,

 ”This passwd is 4 my email!” would be a strong password because it has many characters and includes lowercase and capital letters, numbers, and special characters. You may need to try different variations of a passphrase many applications limit the length of passwords, and some do not accept spaces. 

“Q3h73QSr” is strong and easy to remember as [Q]UICK [3] [h]appy [7] [3] [Q]UICK [S]ONY [r]adio !

You can use your own way of memory technique in your own language … “12#Ks4#f” is strong and easy to remember in Hindi Language also as [12] Topi[#] [K]e [s]aath [4] Topi[#][f]ree !  

Try to avoid common phrases, famous quotations, and song lyrics. Password crackers have knowledge of various languages as well !

Don’t assume that now you’ve developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique passwords for each of your accounts. At least keep your Banking/Transaction Passwords separate than your E-Mail, Blogs and Social Networks !

Here is a review of tactics to use when choosing a password:
* Don’t use passwords that are based on personal information that can be easily accessed or guessed.
* Don’t use words that can be found in any dictionary of any language.
* Develop a mnemonic for remembering complex passwords.
* Use both lowercase and capital letters.
* Use a combination of letters, numbers, and special characters.
* Use passphrases when you can.
* Use different set of passwords on different systems.

How can you protect your password?

Now that we have chosen a good password that’s difficult to guess, We need to make sure not to leave it some place for people to find.

Writing it down and leaving it in your desk, next to your computer, tagged to your computer/board side by ! This is just making it easy for someone who has physical access to your workplace. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. Of course, your Banking Accounts and Online Transaction stuff may be of intrest for someone else !  

If your internet service provider (ISP) offers choices of authentication systems, look for ones that use Kerberos, challenge/response type, or public key encryption rather than simple passwords.  Consider challenging service providers that only use passwords to adopt more secure methods. Also you can request the ISP Support person to help you out in changing the configurations as per your comfort level.

Also, many programs offer the option of “remembering” your password, but these programs have different ways and methods of security protecting that information. It is not a very good practice to allow those programs to save your password on a Public PC or any other non trusted source of internet!
Some programs, such as email clients, store the information in clear text in a file on your computer. This means that anyone with access to your computer can discover all of your passwords and can gain access to your information.

For this reason, always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Other programs, such as Apple’s Keychain and Palm’s Secure Desktop, use strong encryption to protect the information. These types of programs may be a good option for managing your passwords if you find you have too many to remember.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

Note: This is an extract from Original Security Tip “Choosing and Protecting Passwords” Published by US-CERT and the Original post is found at the link below.

http://www.us-cert.gov/cas/tips/ST04-002.html.