Selecting a Solid Base

The first step in generating a good password is to pick an appropriate base, which is a string that's memorable but that shouldn't appear in any language's dictionary as a single word. One reasonable procedure for picking a base is to use an acronym. For instance, you might use yiwttd, for yesterday I went to the dentist. (Of course, this specific example is a poor one because it's been used as an example in this book. A cracker who reads this book might add yiwttd to a dictionary, and it might spread from there.) Another option for a base is to use two short and unrelated words, such as bunpen. You won't find bunpen in a dictionary, although you will find its constituent words. (Again, this specific example is now a poor base because it's appeared in this book.) A variant on the multiword approach is to use fragments of multiple words, such as asepho, derived from baseball and telephone. As a general rule, an acronym is the safest choice, providing it doesn't happen to spell anything.

Note These examples are all six characters long. Subsequent modifications add characters, and passwords on some OSs are limited to eight characters in length, hence the six-character length. Modern Linux distributions are not so limited, and in fact eight characters is a more reasonable minimum safe password length than a maximum. You might need to generate short passwords for some purposes, though, such as for retrieving e-mail from your ISP or logging onto web pages.

There are many common types of strings you should never use as a password, even as a base:

• The name of any relative, friend, co-worker, or pet

• The name of any character in a book, movie, or play; or the name of a favorite work of fiction or art

• Your own name or your username

• Any other personally relevant information, such as your Social Security number or street address

• Particularly for the root password, any word signifying great power, such as deity or boss

• Particularly for workstations, a name or word that appears in plain sight of the terminal, such as the monitor's model number

• Any single word in any language, even if it's spelled backwards

• Any obvious misspelling of a word, such as rOcket, where the number 0 replaces the letter o in the word

• Any ascending or descending sequence of numbers or letters, such as 54321 or ghijk

• Any string of identical characters, such as mmmmm

• Any string of characters that appears on the keyboard, such as qwerty

The first six prohibitions are designed to protect against targeted attacks—the sort that seem to have a 100 percent chance of working in the movies. The rest of the prohibitions are designed to protect against words that are likely to appear in cracker dictionaries. These dictionaries are larger than ordinary dictionaries; they can include words in many languages, common misspellings, and nonwords that people are likely to try using.

0 0

Post a comment