------------------------------ SERT Advisory SA-93.04 How To Select A Safe Password ------------------------------ There are several principles involved in selecting a safe password. These are covered below. The DO-NOTs DO NOT use simple passwords that are easy to remember and are typically not safe. Examples of such passwords are: - your userid (a common, but extremely dangerous practice); - a word which can be associated with you. For example: - your car make, model or registration number - your child's name - your street name, postcode or other address details - your medicare number - your tax file number - any of your bank account numbers; - a word which someone watching could easily spot (qwertyuiop); - any dictionary word (which a cracker with a PC and an on-line dictionary could discover by exhaustive trial); - words from other guessable word sets such as famous names, proper names, colloquial terms (in various spheres of life) and so on. It is not sufficient to include a single number in the word, or change all O's to 0's and I's or L's to 1's in the word, or to spell the word backwards. DO NOT leave your account without a password. DO NOT use your userid as your password. DO NOT use any word from a dictionary (of any language) as most forms of password attack use dictionaries as a basis for password guessing. DO NOT use birthdays, car registration numbers, room numbers, department names, machine names, locations, wife/husband's names, pet's names, children's names and so on. These may be determined as most of this information is not confidential. DO NOT use keyboard patterns, or duplicating characters such as qwerty or aabbccdd. DO NOT use the same password on multiple accounts. If you have many accounts, then do not use the same password on each account. If one is broken, then all are broken. Also, do not just change one character in the password as this may be easily spotted if one of the passwords is compromised. DO NOT allow anyone to watch while you type your password. DO NOT record your password either on-line. DO NOT write down your passwords. DO NOT tell anyone what your password is. Do not share your password with your partner, your children, your friends. Even telling your dog should be considered risky! Do not tell a person verbally, by electronic mail or by any other means. The DOs DO use a MINIMUM (not maximum!) of 8 or more characters (system permitting). DO use mixed case wherever possible. DO NOT choose only the first letter as uppercase. (e.g. Mich37bo is not as good as MicH37Bo.) DO include at least two digits or punctuation characters. DO NOT simply replace "o" and "O" with "0", and "I", "l" or "L" with 1. (e.g. fl0pp1mp is not as good as fL0$p*Mp.) DO change passwords frequently, and DO NOT reuse old passwords. Password cracking algorithms have been around for quite a while now. By using computationally intensive processes, a password can be broken in time. Applying the techniques outlined above make the length of time required to break a password prohibitively long. However, the time required to break a password drops significantly as each letter is guessed, or other information is known about a password. Passwords should be changed regularly, so that even if a password is finally guessed, it will be long out of date. A password should never be reused. General techniques for generating safe passwords include: - using two or three short words that are unrelated; - always including some non-alphabetic, non-numeric (i.e. punctuation) characters; - deliberately misspelling; - taking the first letter from each word of a phrase (a passphrase). After reading all of that, you may ask "well, what is a good password? What can I use?". One technique would be to use a two or three word phrase, and replace the 1st character of the 1st word with a -1, the 2nd character of the 2nd word with a -2, etc, and uppercase every second character except punctuation. e.g. !Yc@rSm$lLs (my car smells). Another alternative might be to use the first letter from each word in a line from a song, have every third letter in upper case, and replace (aeiou) with ({}:"?). For example, 'Tie A Yellow Ribbon Round That Old Oak Tree' would convert into 't{YrrT""T'. (Rationale: 'Tie A Yellow Ribbon Round That Old Oak Tree' => 'tayrrtoot' Convert every third letter to upper case => 'taYrrTooT' Replace lower case vowels => 't{YrrT""T') Note that these examples should NOT be used as they are now published widely! SERT can be contacted by any one of the following methods: Internet Email: sert@sert.edu.au Facsimile: (07) 365 4477 Telephone: (07) 365 4417 SERT personnel answer during business hours (AEST - GMT+10:00)