Good and Bad Passwords How-To

An in Depth Analysis of Good, Bad, Strong and Weak Passwords, Password Cracking Techniques and How-To Reduce Password Vulnerabilities

• Password Basics: Storage Methods and Terms
• Password Cracking Basics: Tools and Techniques
• Common Password DO's and DONT's
• Review of a Password Cracking Study
• Creating Password Cracking Dictionaries
• Password Advice Reduced to a Single Rule
• Cracking "Good" Passwords
• Automated Password Generators
• Effective Use of Password Generators
• Better Password Security
• Password Management
• Windows (NT & 2000) Poor Password Encryption
• Common Passwords
• Password Footnotes

Passwords are important because they are still the primary key to most computer systems. At most sites, there is no greater opportunity for improving security with as small an effort than by adopting good password procedures. A Jan. 21, 2002, Information Week article, included a graph (near the page bottom) summarizing a survey of 4500 security professionals in 2001. This indicated that "Guessed Passwords" were the primary method of attack 22% of the time. A decade later other sources suggest that number is still just about right No competently selected password should ever be guessed or even cracked.

Almost no one discusses security without at least touching on passwords. Short lists of do's and dont's are common but fail to explain why a password is good or bad. Here the details of what make good and bad passwords or strong and weak passwords are covered in great detail. The relative nature strong and weak passwords will be discussed. Password cracking technology is reviewed. The impact of ever faster computers on password technology is discussed as are steps to improve password security.

This discussion focuses on UNIX including UNIX like, open source systems such as Linux and OpenBSD and also Windows. Much of what's said about UNIX will be applicable to any contemporary operating system unless these systems have issues similar to Windows. Microsoft finally fixed the LM hash compatibility issue in late 2006 and early 2007 with the release of Vista. They continue to refuse to deal with the problem of unsalted hashes two decades after the problems with their password storage was known.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.