Here is a moderately helpful article on how to strengthen your passwords (link via the more-than-moderately helpful Woodstock Wire).

The article–which you should read in its entirety–contains a link to an online password security measuring tool from the Security Stats portal. I should note that I was alarmed that both the article and the tool seem to agree that making standard 1337 (pronounced “leet”) substitutions of numbers for letters (L1K3 TH15) will substantially increase password strength. I’m not so sure, having personally seen a password cracker rip through a Windows 2000 password file containing a otherwise weak, dictionary-attackable password that had been hardened in that fashion. And I am anything but good at this kind of thing.

Still, there’s some good advice, including this:

Organizations are rife with guest accounts, group accounts, accounts with no passwords, a lack of password expirations, passwords that can be easily guessed and opportunities to exploit technical weaknesses or perform social engineering. With all of these easy opportunities, computer accounts with good six-character passwords are only a trifle weaker than those with eight-character passwords. My point is that infosec professionals need to focus more on the compliance of good user-account hygiene than on the length of passwords.

Amen. Systems get hacked because unnecessary ports are open, known exploits are left unpatched, and stupidly insecure accounts (well-known default settings, empty passwords, etc.; not just mildly weak user passwords) are left active. It’s not necessarily your fault for using your dog’s name (unless you’re Rachel Lucas, whose dogs’ name is far too well known).

• 
• Posted by Tim on Sunday, July 13, 2003 at 10:38:12 pm PDT
• Category: Miscellany
• Comment RSS Feed