6. Flex test your passwords
Passwords remain one of the weakest links in the security chain simply because so many people overestimate the strength of their passwords and underestimate how easily they can be discovered. The notorious hacker collective known as the Cult of the Dead Cow recently released a tool called Goolag (www.goolag.org) that makes it easy to turn Google into a password-cracking engine.
Indeed, even without Goolag, it’s possible to reveal a list of usernames and passwords for websites created using Microsoft’s FrontPage, where the password files have been left readable, simply by searching for “inurl:service.pwd”. Try it – if that doesn’t make you take your password security more seriously then you really do need a good slap.
As Tony Fogerty reminds us, “there are lots of password-cracking tools such as Cain & Abel, LophtCrack, John the Ripper and Hydra” and you can use these against your own system to see how strong your choices really are. Better still, take the advice of Ken Munro, managing director at penetration testing consultancy SecureTest, who warns that people are fooled into thinking that passwords formed by the substitution of numbers for letters are “more secure” but these are actually “no match for a hybrid attack, where both dictionary and brute force attacks are combined”. Make passwords as long as possible to make such attacks more difficult.
Munro also suggests that businesses which force employees to change their passwords every 30 days are actually just forcing them into writing them down and making them more vulnerable to discovery. “It’s far better to adopt a strong, memorable password and change this less frequently than plump for a random, hard-to-remember password that’s changed every month,” he says, adding “corporates should record attempts to log into systems, whether the attempts are over the internet, or against the internal network. By logging failure attempts and setting alarms for more than, say, ten attempts, it’s possible to detect automated attacks such as a brute force.”
Finally, take the advice of John Safa, CTO for security specialists DriveSentry, who recommends testing your password at SecurityStats (securitystats.com/tools/password.php) to reveal its complexity against a set of general best-practice guidelines. For good measure, your password will also be checked against a hacking dictionary containing commonly used passwords and keystroke combinations.