Modifying the Base

Once you've selected a base by creating an acronym or combining multiple words or word fragments, you should modify that base. These modifications move the base further from the original base and make it harder for a cracker to guess the password, even if the base appears in the cracker's dictionary. Modifications you can make include:

Adding Random Punctuation, Numbers, or Control Characters You can add punctuation, numbers, or even control characters to the password. Ideally, you should place these features randomly within the base, as in yi9wtt}d or b#unpOen. The number of possible additions of even just two characters is so large that password-cracking programs can't check every possibility. One exception: many people start or end passwords with numbers, so crackers often try the hundred password variants that result from this change, rendering the change ineffective.

Changing Case at Random Linux's passwords are case-sensitive, so randomly altering the case of passwords can be an effective strategy. For instance, your password might become Yi9wTT}D or b#UNpOeN. This modification isn't effective on all systems or password types, though. For instance, the passwords used by the Server Message Block (SMB)/Common Internet File System (CIFS), and hence by Linux's Samba server, are case-insensitive.

Reversing the Order of One Base Word If you use a pair of words as the base, you can reverse the order of one of the two words, as in NU#bpOeN. By itself, this modification isn't extraordinarily effective, but it does increase the cracker's search space by a modest amount.

As a general rule, adding punctuation, numbers, or control characters is the single most effective modification you can make. Altering the case of random characters can also be an important modification, at least for Linux's primary passwords.

When you're done, the password should resemble gibberish, but be memorable to you personally. Automated password-cracking tools will very probably be unable to match your password, which is the goal of the exercise. As an ordinary user, you can then change the password by using the passwd command:

$ passwd

Changing password for userferd. Changing password for ferd (current) UNIX password: New UNIX password: Retype new UNIX password:

passwd: all authentication tokens updated successfully.

This program asks for your current password and then asks you to type the new password twice, as protection against a typo. None of these passwords echoes to the screen, even as asterisks, in order to reduce the chance of a shoulder surfer gleaning information about the password. The superuser can add a username to the command, as in passwd ferd. The system doesn't ask for confirmation of the original password, enabling root to change the password even if the user has forgotten the original.

GUI tools for changing passwords are also available. For instance, Figure 18.1 shows userpasswd, which is part of the GNU Network Object Model Environment (GNOME) desktop environment. These tools work much like the text-mode passwd, although they often echo asterisks to the screen as you type a password, as Figure 18.1 shows.

Figure 18.1: GUI tools for changing passwords are accessible from menus in default desktop environment configurations.

Warning Try not to change your password over an unencrypted link such as a Telnet session. Doing so poses the same risks of sniffing experienced when entering your password for login. If some suspicious event compels you to change your password over an insecure link, change it again as soon as possible over a secure link.

0 0

Post a comment