I’ve seen some passwords to take a few years from my life.
I mean, we all know about dictionary words, right? And we’ve all seen Spaceballs, right? But choosing 12345 as your password is not the only careless option: there are many more! The more I get familiar with user’s password, the more I see how so much alike they all are.
Let’s review some of the commonly used bad password practices:
- Empty passwords. Need I say more? Apparently yes. So what if “there’s only access through firewall from our company’s IP”?
- Dictionary passwords: real English words like ‘falcon‘ or ‘tiger‘. Don’t use these! These are the easiest to attack.
- Well known words: how about ‘Gandalf‘? It’s not dictionary, but it’s popular enough to appear in any respectable list. For that matter, look at how well filtered passwords are on RedHat: you can’t choose a password which is a common first or last name in the US, Italy, or even Israel; which is great!
- Common substitues: enough with ‘1nsi9ht‘ and ‘@dm1n‘! These are almost as easy to break as dictionary words; it’s just a matter of a few more combinations per word.
- Keyboard clustered: say No! to ‘1qa2ws‘. Don’t use ‘$rty&*io‘. They seems to be random at first sight, but look for them on the keyboard: it’s just your common “how shall I create a password that’s so easy to remember I will never forget it?”. Now REPLACE(“remember”, “break”) and REPLACE(“never forget”, “always regret”).
- Children’s names, birth dates, 123456, your car’s license plate number, your Yahoo! mail password, etc. etc. etc.
There are many guidelines for choosing strong passwords. And everyone seems to know about it. But I’m still surprised when I find out the MySQL root password is ‘zxcvbn‘ or ‘pa55wd‘.
MySQL allows for any character in your password, so you may use punctuations, spaces, and other symbols. This is stronger than plain characters and digits.
I think it all boils down to one question: do you really need to remember the password? If so, go ahead and use some personal hints, and make it difficult for the intruder.
If not – and you can store the passwords, encrypted by stronger passwords on a secure server; on plain paper on your bookshelf; behind your mother’s cupboard, embedded between her Bridge winnings notes – then use as strong a password as you can get.
A good tool which I’ve begun to use recently is pwgen. For example:
$ pwgen -cn 32 1 na5thoeh4jaeth9OoMooBiosoophuShi $ pwgen -ycn 32 1 zahC0eehei.tee0pahL3sej2ohv^e8me
pwgen can be instructed to produce or not to produce digits, uppercase letters, special characters, and is very handy.
Conclusion
Not all my passwords are so strong; I make the distinction between critical data, confidential data, personal data; the damage done by exposing a password; etc.
If your server is behind firewall, that means you have a reason for not letting people in. Take the next small step and choose strong passwords for your OS, database, htaccess and the rest of the gang.
why care about root password, when you can intercept required passphrase with gdb/dtrace/sniffer+mysql.user file read/etc? š
I agree with the point you’ve made. We use the following command to create strong passwords,
openssl rand 12 -base64
nice article, i believe i should start paying more attention on my passwords, anyways i don’t hide anything important
shlomi ,
You are SPOT ON!
Great Post! Thanks a lot for sharing a nice article on password, i had gone through the article really very nice and detailed review. To be secured its better to change the passwords very often.
By the way These are some of suggestions when choosing the passwords:
I know that coming up with a good password can be difficult, so here are some guidelines to use.
* Choose a password that is at least six characters long. This should be long enough to discourage a brute-force attack. Currently, the maximum password length on many Unix systems is eight characters, but if you want to add a few more characters to make it easier to remember, go ahead. Just bear in mind that anything after the eighth character will be ignored (so “abnormalbrain” is the same as “abnormal”).
* In general, a good password will have a mix of lower- and upper-case characters, numbers, and punctuation marks, and should be at least 6 characters long. Unfortunately, passwords like this are often hard to remember and result in people writing them down. Do not write your passwords down!
By the way for more information on Professional Training and Certification for Security courses check this link: http://www.eccouncil.org/certification.aspx