Lockdown.co.uk - The Home Computer Security Centre

LockDown is the source for security information and resources for the home computer user.

LockDown Password FAQ

Answering your questions about passwords

After spending some time looking on the net for a decent list of Frequently Asked Questions to put on this site I came to the conclusion that there wasn't one. So I decided to write my own.; The answers that I've provided come from my own knowledge and experience and from submissions by visitors to this site. There may still be some mistakes, if you spot one please let me know.

This document is a work in progress.

Q. Where can I get the latest version of this FAQ?

A. Here (http://www.lockdown.co.uk)

Index:

1.Password Basics
1.1 What is a password?
1.2 Why do I need a password?

2. Choosing a password
2.1 Why should I choose my password carefully?
2.2 What is a good password?
2.3 What is a bad password?
2.4 How long should it be?
2.5 What tips are there for choosing a password?
2.6 What characters can I use in my password?
2.7 How do I know if my password is safe?
2.8 How do I change my password?

3. Keeping your password safe
3.1 Why should I keep my password safe?
3.2 Is it OK to share my password with my friends?
3.3 How often should a password be changed?
3.4 I have a lot of passwords, how can I remember them all?
3.5 Should I re-use my password?
3.6 Should I write my password down?

4. Password Attacks
4.1 What is password cracking?
4.2 How are passwords cracked?
4.3 What is a brute force attack?
4.4 What is a dictionary attack?
4.5 What is a hybrid attack?
4.6 What passwords can be cracked?
4.7 How could somebody steal my password?
4.8 How could somebody guess my password?
4.9 What is password sniffing?
4.10 What is social engineering?
4.11 Why would somebody want my password?

5. Miscellaneous
5.1 I've forgotten my password, what can I do?
5.2 What is a passphrase?
5.3 I think someone knows my password, what should I do?
5.4 (Removed)
5.5 What do I do if my password doesn't work?
5.6 What do I do if my password expires?
5.7 I received an email asking for my password, what should I do?
5.8 What is a password cache?
5.9 What is a .PWL file?

1. Password Basics

1.1 What is a password?

A password is a set of characters known only to you that must be provided in order to gain access to something. A password is very much like a key, without it the door remains locked. A password proves you are who you say you are.

1.2 Why do I need a password?

Everything from bank cards to email accounts require passwords. You'll find it very hard to avoid somebody requiring you to have a password. Just like keys, passwords are necessary if we are to have security. There are alternatives to passwords for example fingerprint and retina scanners but these are currently used in only a minority of situations. Maybe in the future things will change, but for now passwords rule.

Passwords protect your data files, your account, your homepages they stop people from sending email under your name etc. They're important.

2. Choosing a password

2.1 Why should I choose my password carefully?

A haphazardly chosen password is easily guessed. It's not good enough to look around you for an object and to use that as a password. Some of the first things people are likely to try are "monitor" and "telephone". Similarly it's daft to use your wife's name as somebody could guess that too.

Tip: When changing your password take a look at your CAPS-LOCK and make sure it's not on, it's easy to leave it on accidentally and then wonder why you can't get access later.

2.2 What is a good password?

A good password is one that is very difficult to guess. A good password will be long and use a wide range of characters in an unpredictable order. A good password is also one that you can remember easily and type in quickly so that anyone looking over your shoulder will not be able to see what you are typing.

2.3 What is a bad password?

A bad password is more than just the opposite of a good password. Some passwords may look like good passwords on the face of it, that is they may seem to you to be difficult to guess but in actually fact they're bad.

The following is a list of passwords that are most definitely bad:

It might seem impossible that somebody would guess your mothers maiden name, but the fact is that any name chosen as a password is easy to guess.

2.4 How long should it be?

Use at least eight characters. The more characters the better really, but most people will find more than 15 characters difficult to remember. See my password recovery speeds page for an evaluation of password lengths.

2.5 What tips are there for choosing a password?

Here's a few easy ways to choose a good password.

Using computer generated passwords can offer better security since randomly generated passwords are more difficult to 'guess' than passwords chosen by humans. It's well known that humans have difficulty generating completely random data. Be wary of claims by password generating software of "uncrackable" passwords. The randomness of some of these programs is questionable, and even the very good ones make passwords that are still susceptible to brute force attacks.

2.6 What characters can I use in my password?

This varies from system to system but the basic alphanumeric character set is almost always available to you.

ABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890 = total 36 characters

Some systems are case sensitive making a further 26 characters available.

abcdefghijklmnopqrstuvwxyz = total 62 characters

Some systems allow you to use punctuation and symbols.

<>!"$%/(),.?*@';:[]{}-_=+~`\# etc. = up to total 256 characters.

2.7 How do I know if my password is safe?

If you follow all the advice in this FAQ it should be fairly safe.

2.8 How do I change my password?

See my Changing your windows password guide.
Come back here soon for more guides on changing passwords for different systems. For now though, check your system manual.

3. Keeping your password safe

3.1 Why should I keep my password safe?

If you don't keep your password safe, somebody else will get hold of it and use it against you. If, for example, your password is protecting your email, it's possible that somebody could use it to read your private messages.

3.2 Is it OK to share my password with my friends?

No. Passwords are best kept secret, even if you trust your friends you cannot guarantee they will be as careful at protecting it as you would be. Never tell anyone your password, not even your spouse or system administrator.

In many cases you will be breaking rules if you share your password. It's quite common for organisations to demand that users keep their passwords to themselves, if you do share your password you may find yourself without access yourself.

Remember it's your password and yours only, so don't tell anyone even if they ask, this includes your boss, your systems administrator, your spouse, your kids, your bank, your colleagues at work, your best mate, your ISP...

3.3 How often should a password be changed?

Regularly. The import thing here is to change your password often enough so that a potential hacker will not have time to guess it. People recommend more often or less often depending on how paranoid they are, I'm going to hold back from recommending a figure because it really depends on the quality of the passwords you choose and the perceived threat to your security.

One thing is certain, whenever you believe that your password is known to somebody else, even if you just suspect it, you should change your password immediately.

3.4 I have a lot of passwords, how can I remember them all?

Remembering passwords can be a real problem. Passwords ought to be complex but this makes them much harder to remember meaning that many people choose simpler and less secure passwords to help them remember them.

A password manager utility such as those listed on the downloads page can help, but you should be aware that this may potentially make your passwords much more vulnerable. A potential hacker could find the one password that unlocks those stored in the password managers data file. Choosing a password manager utility that uses strong encryption and using a really long and complex password for your password data file is recommended.

Using an encrypted file or encrypted volume (e.g. PGPDisk) is another method of storing passwords securely. This can be a password managers data file or a simple text file in whatever format you choose.

Another option is to write your passwords down on paper, seal them in an envelope and place them in a very secure location such as with your Bank. Banks will often store documents securely for a smallish fee, ask your bank for details.

If you don't have access to a Bank vault, you could consider splitting each of your passwords in half and storing details of each half in separate secure locations. For example one half in your house safe and the other in your best friends house safe. If you do it this way, make sure the envelope you give your friend is securely sealed and that the half-passwords you give him are coded in some way so that he doesn't know what they refer to. Write them backwards on the paper with a number next to each, on your own sheet list the numbers along with what they refer to.

3.5 Should I re-use my password?

No. Passwords should be used once only.

3.6 Should I write my password down?

It's tempting to write passwords down, long passwords and passwords that use a mixture of characters are often difficult to remember. Avoid the temptation though, because writing a password down makes it much much more likely to be discovered. It's much better to choose a password that's easy to remember than to commit it to paper.

Writing your password down in a .TXT file on you PC doesn't make it any safer either, unless you're very careful to keep the file strong encrypted.

If you absolutely must write it down, keep the paper in a locked safe that only you have access to. Consider splitting your password into two halves and storing each half in a separate safe.

4. Password Attacks

4.1 What is password cracking?

Password cracking is simply guessing your password by an automated method.

4.2 How are passwords cracked?

Passwords can be cracked by Brute Force, Dictionary or Hybrid Attacks made on them. There are many tools available on the Internet that will do this type of cracking very quickly and simply. It's also possible that attacks could be made on the algorithm that is used to store the password.

4.3 What is a brute force attack?

In a brute force attack a specially designed computer program tries to guess your password by trying every single combination of characters until your password is found. For example, the program might follow a sequence like this:

"aaaaaaaa"
"aaaaaaab"
"aaaaaaac" ...

Until the password is found

Obviously this method will take time, for an eight character lowercase alpha password there are 200 Billion combinations to be checked.

But with modern computers this sort of attack doesn't take as long as you might think. See my Password Recovery speeds page for more info.

The brute force attack is the slowest method of password attack.

4.4 What is a dictionary attack?

Instead of trying to guess your password by trying every single possible combination of characters as in a brute force attach the attacker may try every word in a dictionary or multiple-dictionaries until your password is found. This method is popular because it is well known that many people use common words as passwords.

Dictionaries of words are easily available for free on the Internet, these include dictionaries of specialist words, foreign languages, technical jargon, place names, first names etc.

4.5 What is a hybrid attack?

A hybrid attack is a mixture of a brute force attach and a dictionary attack. There are many different ways a hybrid attack can be performed, in it's simplest form a hybrid attack may simply add a couple of numbers to the end of each dictionary word tried, this increases the number of tested combinations without having to resort to a true brute force attack. Cracking software will often use a combination or selection of all three methods to try and guess your password.

4.6 What passwords can be cracked?

Any password can be cracked, although if a good enough password is used the time taken to crack it may be longer than the attacker is prepared to wait.
There are tools available on the Internet that will crack, for example, the following passwords:

Windows NT, Novell Netware, Windows 95/98, Unix, PKZIP/WinZip, MS Office 95, MS Access 97, WordPerfect, ARJ, RAR 1.5x etc.

This list is not exhaustive there are many more, believe me. You may also want to take at my list of insecure applications.

4.7 How could somebody steal my password?

There are lot's of ways that your password might be stolen if you don't take care to project it carefully.

4.8 How could somebody guess my password?

Unless you're very careful about how you choose your password, you could be making it easy for somebody to guess it.

4.9 What is password sniffing?

Password sniffing is covert discovery of users passwords by electronic means. A potential hacker could use a network analysis tool to view all data transmitted over a network, as the password is transmitted across the network the hacker would capture it and store it for (mis)use later.

Some Trojan programs take this 'sniffing' one step further, instead of capturing passwords transmitted over a network they can capture passwords as they are typed in at the users keyboard.

Hardware devices are also available that can monitor and record keystrokes entered on a users keyboard. These devices can be very small, some even look like part of the keyboard cable itself.

4.10 What is social engineering?

Come back soon for the answer.

4.11 Why would somebody want my password?

Come back soon for the answer.

5. Miscellaneous

5.1 I've forgotten my password, what can I do?

You need a new password, if appropriate you could try contacting the systems administrator of the system that requires the password, your ISP for example. Normally you will need to show some sort of identification to prove it's actually you that's asking for a new password.

Come back soon for more tips.

5.2 What is a passphrase?

A passphrase is really just another name for a password, although the term is usually used to refer to long passwords that will likely consist of several words separated with spaces. This doesn't normally mean that you have to use more than one word, nor does it mean you have to separate words with spaces, but it does indicate that the application requiring the password/passphrase will accept a complex entry.

5.3 I think someone knows my password, what should I do?

Change your password immediately and then tell your systems administrator. Come back soon for more advice.

5.4 (Removed)

Coming soon: A question and an answer to fill this gap. Whoops.

5.5 What do I do if my password doesn't work?

Come back soon for the answer.

5.6 What do I do if my password expires?

Come back soon for the answer.

5.7 I received an email asking for my password, what should I do?

Don't reveal your password. No self respecting organisation would ask for your password in this way, the email address is very likely to be falsified so even if it looks authentic it probably isn't.

Forward the message to your system administrator and let him deal with it, but don't reply to it and don't reveal your password. If you suspect your password may be known, change it at once.

If you receive an email asking you to change your password to "apple" or whatever, don't, change it to something else immediately and then inform your system administrator.

5.8 What is a password cache?

A password cache is a list of users passwords that are stored on the users behalf in an encrypted form by Windows. The password cache is protected by the username and password used to logon to windows and is stored in the windows directory as <username>.pwl.

Often when a windows application requests a password you'll see a check box on the login dialog with something similar to "[x] Save this password". If you choose to save the password it will be remembered for you by the password cache.

5.9 What is a .PWL file?

A .PWL file is a data file used by Windows to store a password cache. The file is named with the username used to log on to windows followed by the extention .pwl.

Friday 10th July 2009 03:01