Create a password of at least 8. About the complexity of complex passwords

Hello friends! Today we will discuss such an important topic as logins and passwords. In the age of total informatization, each of us has many accounts, ranging from logging into a computer / laptop / tablet / phone, ending with bank accounts.

Most reputable Internet companies and services have short recommendations on choosing a password on their resources. But, as a rule, they are too superficial, moreover, they can be found only in sections like "FAQ", "Help", etc. That is, not directly at the time of registration. So, I will present my vision of how to come up with a strong password .

First, let's immediately figure out which passwords to use. IT IS FORBIDDEN(these are common truths):

  • passwords with a minimum number of characters, and even more so, without the use of special characters. Examples: 1234, fhj, 8855, 451326, kdjkdsj - these and similar passwords are cracked very quickly, especially those that consist entirely of numbers, even if there are a lot of them, such as 265489418758. These are all very weak passwords. After reading this article, you will understand why.
  • passwords consisting of dictionary words, any dictionary words, be it "orange", or "leukocyte" - there is not much difference. This applies not only to Russian-speaking and English-speaking words, but also to any words in any language;
  • the most famous and primitive passwords, for example, 123456, qwerty, ytsuken, 123456qwerty, admin, pass, password, etc. Oddly enough, but periodic research in this area shows that a lot of people use just such passwords;
  • passwords in which letters are replaced with similar numbers or symbols: O with 0, B with 8, S with 5 (or with the dollar sign $) and others. The most striking example is pa $$ w0rd
  • passwords containing any information related to your personality: date of birth, phone number, last digits credit card, favorite movies, logins, nicknames, surnames or names (including distant relatives) and stuff like that.

These are the primary prohibitions. Now let's look at the basic methods of taking over other people's passwords. At the same time, we will understand why you cannot use passwords generated by the above methods.


The prevailing methods of stealing passwords and credentials can be divided into several categories:

  • simple brute force (aka brute force)... Through special programs all possible characters (uppercase and lowercase letters, numbers, special characters) are searched through in the "login - password" link.

In these programs (brute-forcers), the necessary conditions for enumeration are indicated: login parameters (if it is known, then the task is much easier), i.e., it is indicated which characters to use when enumerating it, whether to use numbers, Special symbols ([email protected]# $% ^ () _ + ?, etc.), use only lowercase, only uppercase, or both. Also, you can specify the maximum number of characters (and minimum). Similarly, brute conditions are entered for the password.

Based on all this, it becomes clear why you cannot use passwords from the first item of the "forbidden" list. As for a purely digital password, without letters and symbols, the explanation is simple. Just ask yourself a question: how many probable combinations of an 8-character password consisting entirely of numbers, and combinations of a password of the same number of characters, but including at least a couple of letters, can there be? The answer is obvious. Modern machines, with powerful computing power, are able to guess a digital password consisting of only numbers in a matter of minutes.

Besides, the length of the password is of great importance! On modern computers it is easier to guess a completely unrecognizable 10-character password that uses the full range of characters than a 20-character password that is all letters but easier to remember. This can be, for example, a combination of some disjointed words with intentional cover-ups / mistakes / transliteration, or not dictionary words at all. Agree, the password is verblud_usaet_153_avtomata_za_noch! ("a camel uses 153 submachine guns per night!") easy enough to remember, but nevertheless very stable: it has 35 characters, including numbers and special characters. You can also add capital letters =) Such a password is much more secure than an unremarkable gibberish of 8-10 characters. And it is recommended to use it, for example, as a master password for a password manager.

  • enumeration in dictionaries... Dictionaries of a particular language are loaded into the brute-force. In Russia, these are usually English and Russian. Moreover, in the overwhelming mass of passwords, exactly English letters and words (to be more precise, Latin) are used. The Cyrillic alphabet is used less often, also because some services allow using only the Latin alphabet, numbers and symbols as a password. Or, which happens more often, these are special dictionaries consisting of passwords stolen from somewhere (in such databases there may be several million passwords, and even dozens of them)

Hacking using this method is implemented like this: a dictionary (or dictionaries) is loaded, first it is run in a brute-force, so to speak, "clean". If there are no results, then a "mask" is used - ie. in addition to direct instructions to the program to use the downloaded dictionaries, criteria such as the number of numbers, symbols used, and where to insert (at the end of a word, at the beginning) are also indicated. For example, a password of the architect2013 type will be brute-force in the minimum amount of time. Similarly, 2013architect. But if the password is ar2ch0it1ec3t, then it will be unrealistic to pick it up "according to the dictionary". The cracker will have to resort to the first method (brute force).

  • social engineering method. Social engineering(within the framework of this article I will call it SI) in recent years it has been insanely popular among hackers, carders, Internet fraudsters, and of course, among our valiant special services =) And the SI engine is social networks and mass internetization.

One of the methods of countering SI in the context of this topic is precisely last point"forbidden" list. But SI as a science (and I really consider it a science and an art) is not aimed at finding passwords. Rather, the ultimate goal is, as a rule, the combination "login - password", but such information is obtained very subtly, gracefully, and is not noticeable at first for the "victim". And the final result of all these manipulations is either the theft of your funds from bank accounts or Internet wallets, or compromise and subsequent blackmail, for the purpose of material gain (ransom) or in order to force you to perform certain, and, as a rule, illegal actions. Those. the goal is to "put on the hook".

You can draw a certain analogy with the so-called "gypsies", psychics, sectarians - you are misled and knocked out the necessary information (or they get certain actions from you), and what is the main weapon for such individuals, both offline and online? Try to guess! =) And the answer is simple, remember the great proverbs and sayings "My tongue is my enemy" or "Chatterbox is a godsend for a spy." Got the point? And it often happens that you may not soon understand where the leak came from, where this influence comes from, or you may not understand at all.

If you are interested in the art of SI, google this question and find out a lot of interesting things.

  • program method... Here, on the one hand, everything is easy to understand - these are trojans, keyloggers, scripts, spyware, rootkits and other malicious objects (for ease of understanding, we will denote them figuratively as "viruses"). On the other hand, it is difficult - in terms of the practical implementation of protection against all these infections.

Most average users believe that by setting good antivirus(even the best in various independent tests), they are absolutely protected from any threats. Oddly enough, this is a false idea. In this article, we will not analyze this issue, because we will refer to it again and again on the pages of this blog - this, after all, is one of the main goals and directions of the blog.

  • hardware method... This method is realized only with direct contact with the "victim", and oddly enough, the aggressor is likely to be a person close or familiar to you. The method is relevant, first of all, for desktop computers.

It is based on "installing" a certain technical device on a computer - a hardware keylogger. As a rule, this is a small "device" that fits into the keyboard slot system unit, and a wire from the "keyboard" is inserted into this device itself. It turns out something like an adapter. And this "adapter" records in itself (like a regular flash drive) all keystrokes on the keyboard, and absolutely no antivirus can physically notice this, because the "interceptor" is hardware, not software.

More sophisticated options can be attributed to hardware methods, but this is closer to spy mania and special services. Despite this, articles on such techniques may be published in the future. For the paranoid, so to speak. Even now I thought that maybe we will create such a heading "Special for Paranoics" =)

Now that we know from which side the attack can be carried out and we know about which passwords are considered unreliable, it's time to move on to the recommendations for choosing a password and how to store them and to general rules security.

First, break all your passwords into conditional groups, according to their importance. For example, the most important are passwords from Internet banking, e-wallets, basic e-mail, servers, home routers (routers, access points), accounts, and, of course, from your websites and blogs.

The passwords for accounts in social networks, e-mail, but not the one for which you registered in the services, about which it is written in the group of the most important passwords, can be classified as medium importance. Those. if we consider the password from the client-bank to be important, then the password for the e-mail that you specified when registering in this service should also be very complex. I also include the computer administrator password in this group.

Well, the third group is the least important services. As an example: Email that you use for various subscriptions, accounts on sites that are not of any value (where you register, say, just to leave a comment), etc.

After the passwords are divided into groups, let's talk about what the password should be for each of them.

First group

  • the recommended number of characters is from 20 to 50. Longer - there is no special sense, but if the service allows any password length and you are paranoid, then go for it =);
  • used symbols - upper and lower case letters, numbers, special characters; it is advisable to use both the Cyrillic alphabet and the Latin alphabet when generating such a password, if the use of the Cyrillic alphabet is allowed by the service in which you register. Many password generators only use the Latin alphabet, so after you generate the password, add a few Cyrillic characters manually.
  • for each account from this group, you must have a separate and the most secure password.

Second group

  • number of characters ~ 15 to 20;
  • used symbols - similar to the previous group;
  • for each "account" the password must also be separate.

Third group

  • passwords from 8 characters are allowed;
  • punctuation marks and special characters can be omitted;
  • the password can be made readable and easy to remember;
  • it is allowed to use the same password for different sites so as not to bother remembering them, because such accounts, as we have already examined, do not carry any value to you.

For the third group, you can make something like the following password: UsymBada23 * - such a password is easy to remember, but not so easy to crack, and it is unlikely that anyone will try to crack it. And it is remembered like this: the first part is understandable, it is easy to read and remember (like "at the simbad"), the first letter is capitalized, the second part (or syllable) also begins with a capital letter. But at the end, just put, for example, some number and one special symbol (in this example, it turns out: "Simbad has 23 stars"). You can think of a great variety of such different options.

And in the final part of the article, we will discuss general recommendations:

  • do not use the same "login-password" link for different services; both login and pass must be unique;
  • when typing a password in especially important services (Internet Banking), try to use the virtual keyboard;
  • never store passwords in a regular text file on a computer, or in Word file even if it is password protected;
  • use specialized software - password managers. I recommend, and. , in my opinion, best password manager;
  • do not use the "Save password" or "Remember me" function in browsers;
  • after you work with any service (, VKontakte, etc.) before closing the browser, use the "Exit" function.

About very generally accepted rules, such as using fresh versions software, the use of antiviruses and with regular database updates is, I hope, not worth mentioning =)

At the end of the article, I suggest you small nice bonus- good online generator passwords. Its main advantage is the ability to use entropy when generating a password. This means that the password will be generated not just by random selection of characters, but will depend on your actions - keystrokes and mouse movements. Well, all the functions of a good generator are present, of course: you can exclude similar characters (S and 5, O and 0, etc.), specify a range of characters, and so on.

Write comments on what you think about this article. Maybe you have some of your own subtleties and tricks in this matter? Maybe I forgot to add something? Write.

LABELS

33 Comments → How to choose a password. Educational program for password protection

  1. Web-Cat

    Alexander, hello! I dragged the entire article into my Evernote, I will read it carefully and use it right there, because I am a complete zero on the security issue, and I think the best password is "12345" - I will definitely not forget it.
    In general, I think, if you do not slip into a pop-pseudo-social blog, then success is guaranteed! In any case, I have not come across a more detailed and structured article on this topic, although I periodically made attempts to clean up my mess with passwords.
    I subscribe unambiguously, and not as a reciprocal gesture, but because I feel that I will get a lot of useful information on your blog! (Is it okay that I switched to "you" so unexpectedly?)
    By the way, I would not know what template you have installed - I would never have guessed. It turned out very nicely!
    In general, success to you! I will definitely look at the light!

  2. Web-Cat

    But no, the comment passed, it was just necessary to reload the page!

  3. Alexander Mayer

    Hello Larissa! Nice to see you. The first post was marked as spam, for some reason. Thank you for the pleasant words and instructions. I also think that slipping into the topic of "how to earn milen" is a bad thing :) I will try to focus on the technical side of the issue, as well as WP-topics, and security in general. There is a lot of material in my head, you just need to arrange everything on the shelves and publish as much as possible (it took me more than a day for this article, not pure time, of course, but from the moment I began to write it to publication). As for the topic of passwords, I plan to write a couple of articles in the near future, with reviews of those password managers that I mentioned in the article, and on some more points. I think it will be interesting :) And there will be no mess with passwords in the future =) So, as they say, welcome!

    If you have any questions, feel free to write to the mail. Well, or here on the blog, if within the framework of this or that article.

  4. Ogri

    Greetings, Alexander! Thanks for the info, I have long wanted to understand this, but all hands did not reach. Everyone thought that my five fives as a password to the admin panel could be left for some more time - who is interested in me until I get promoted? After spending a full day working on two hacked sites at once, I realized that it was interesting. Moved from complete indifference immediately to paranoia: now avminks are closed with 30-character passwords generated on the site you mentioned. I was not too lazy to create entropy in full. In general, I had a fun day - I corresponded with the hosting support service, then I dagged and clicked and spontaneously pressed the buttons, ensuring the generation of the maximum stochastic password. I did a bunch of other things at the same time to ensure maximum security; By the way, in a day or two I am planning an article on this topic, while my memory is fresh. And now I will generate all my passwords through that site. Since remembering them is unrealistic, they will be stored in KeePass, which I transferred to the main password manager thanks to your three articles about it. Special thanks for them.
    And now I'm going to troll you, as I promised. I'll meet Natalia.

  5. Ogri

    Spiteful hackers acted as catalysts, don't flatter yourself. On the contrary, you were able to help. I have been interested in this topic for a long time, I will read you.

  6. Tatiana

    Thanks. Highly useful information... I quit living by the principle: until the thunder breaks out, the man does not cross himself, I change my passwords to more reliable ones.)))

  7. Martha

    I don’t remember getting satisfaction at once on many points related to the topic of spy mania until the moment I came across your articles. Masterfully intelligible, interesting, unobtrusive.
    Low bow to you! Thank you for taking care of us - web paranoid :)

  8. Eugene

    Nice post... But not complete. Forgot about graphic passwords.

    1. Alexander Mayer

Each user who communicates on the forums and social networks, makes purchases on the Web, over time you have to face the problem of remembering passwords, since at one point there are so many accounts that you cannot do without a pen and a notebook.

Passwords are long and short, simple and complex. Everyone is free to choose what they like, however, the safety of personal and work data (which can be very expensive) may depend on the set of characters or an uncomplicated word. After all, the simpler and shorter the password, the faster attackers can get hold of this or that account.

Errata Security recently conducted an interesting research study that looked at how users choose their passwords. Data collection was carried out in the United States. As it turned out, 16% of users prefer to enter their own name or the names of loved ones in the password entry line. 14% of Internet account holders solve the problem of choosing a password using the numeric keypad ("1234", "12345678"), while some use letters ("QWERTY") instead of numbers.

It is interesting to note that 5% of all stolen passwords are the names of show business stars, TV shows and movie characters. For example, this is "Pokemon", "Matrix" (Matrix), "Ironman" (Iron Man). In turn, some users prefer to enter the word "Password" ("password1", "password") in the password line.

Despite the richness of their native language and the presence of their own imagination, many express their feelings through passwords: "I don" t care "(I don't care)," Yes "," No "," Iloveyou " love) "Ihateyou" (I hate you).

Arseny Gerasimenko

PASSWORD GENERATION RULES

My personal experience shows that yes, indeed, many users prefer simple passwords like "12345". Such a virtuoso complexity of a password as "1y2ts3u" immediately makes me suspicious that the user considers himself to be an "advanced" one :) However, one should remember that indeed secure password is a combination of letters of different case, numbers and special characters, and the length of the password should not be less than 8 characters. For example, the password " [email protected]"- will be safe," IvanPetrovich69! "- too, but" lisa1111 "will be much easier to find.

Good password rules:

  1. long (8-12-15 characters)
  2. contains both uppercase and uppercase latin letters
  3. contains numbers
  4. not found in the dictionary, this is not a name and not a Russian word (ckjdj) typed in the Latin layout
  5. has nothing to do with the owner
  6. changes periodically or as needed
  7. not favorite - different passwords for different logins
  8. it is possible to remember it
Bad password rules:
  1. short (less than 8 characters)
  2. all in one register (all LARGE are bad like all small ones)
  3. does not contain numbers
  4. can be found in the dictionary or is it a name or a Russian word (ckjdj) typed in the Latin layout
  5. is in any way connected with the owner
  6. does not change over the years under any circumstances
  7. can be loved - one password for everything
  8. it is impossible to forget it

PASSWORD STORAGE RULES
The ideal place to store your password is in your head. Your portfolio may be stolen, cellular telephone, a notebook, a piece of paper / floppy / USB flash drive with a password, but your memory is much more difficult to steal. So, if possible, passwords should be memorable and stored in your memory.

If you suspect that your password has been found out, change it IMMEDIATELY.
SMALL STATISTICAL INFORMATION

alphabet 6 characters 8 characters 10 characters 12 characters
26 (Latin all small or all large) 31 sec 5 hours 50 mins 163.5 days 303 years
52 (Latin with variable case) 33 minutes 62 days 458 years 1,239,463 years
62 (Latin of different register plus numbers) 95 minutes 252 days 17 hours 2.661 years 10,230,425 years
68 (Latin letters of different register plus numbers plus punctuation marks.,;:!?) 2 hours 45 mins 529 days 6703 years 30,995,621 years
Time to brute force all possible passwords of a given alphabet at a brute force rate of 10,000,000 passwords per second



and in conclusion (dummies and nix-admins need not read):
10 myths about Windows passwords

Despite all the advances in security technology, one aspect remains unchanged: passwords still play a central role in system security, the problem is that too often they can be the easiest mechanism to crack. While there are technologies and policies in place to make passwords more secure, there is still a human factor to contend with. It's no secret that users often use the names of friends, animal names, etc. as passwords.

The main challenge is for users to create strong passwords. However, it is not always clear how to achieve this. The problem is that our actions are too predictable. For example, in the list of completely random words invented by an ordinary person, some general pattern will certainly appear. Choosing strong passwords requires appropriate training. This knowledge is the system administrators and should be extended to end users. Perhaps this article will help you understand the use of passwords in Windows 2000 and XP.

Myth number 1: password hashes are strong enough when using NTLMv2

Many readers are familiar with the weakness of LanManager (LM) password hashes that made L0phtcrack so popular. NTLM makes hashes somewhat more robust because it uses a longer hash and distinguishes between upper and lower case characters. NTLMv2 is more advanced in that it computes a 128-bit key and uses separate keys for integrity and confidentiality. In addition, it uses the HMAC-MD5 algorithm for higher integrity. However, Windows 2000 still frequently sends LM and NTLM hashes over the network, and NTLMv2 is vulnerable to in-transit attacks (also known as replay). And, since the LM and NTLM password hashes are still stored in the registry, you are vulnerable to SAM attacks as well.

It will still be some time before we finally free ourselves from the limitations of LanManager. Until then, don't rely on your password hashes to be reliable.

Myth number 2... Dj # wP3M $ c - best password

It is a common myth that completely random passwords generated by a password generator are the best. This is not entirely true. While they can be really strong, such passwords are usually difficult to remember, slow to type, and sometimes vulnerable to attacks on the password generation algorithm. It is easy to create passwords that are resistant to cracking, but more difficult to make such passwords memorable. There are a few simple tricks for this. For example, consider the password " [email protected] This e-mail is protected from spambots. Java-script support must be enabled in your browser to view it. "This password uses upper and lower case letters, two numbers and two characters. The password is 20 characters long, but it can be remembered with a minimum of effort, you may already have it. Moreover, this password is typed very quickly. In the "Makeit20" part, the left and right keys on the keyboard alternate, which increases the typing speed, reduces the number of typos and reduces the chance that someone will be able to spy on your password while watching with the movements of your fingers (lists of English words have long been created, alternating keys for the right and left hand, which are convenient to use as part of your password.

The best technique for creating complex yet easy-to-remember passwords is to use the structures we are used to remembering. Such structures also make it easy to include punctuation marks in the password, as in the example e-mail address used above. Other structures that are easy to remember are phone numbers, addresses, names, file paths, etc. Pay attention to some of the elements that make it easier for us to remember. For example, the inclusion of patterns, repetitions, rhymes, humor and even rude (including obscene) words creates passwords that we will never forget.

Myth number 3... 14 characters - optimal password length

In LM, password hashes are split into two 7-character hashes. This effectively makes passwords more vulnerable, since a brute-force attack can be applied to each half of the password at the same time. That is, passwords with a length of 9 characters are split into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash will not take long, and the 7-character part is usually cracked in a few hours. Often a short section can make it much easier to crack a long section. Because of this, many security professionals have determined the optimal password length to be 7 or 14 characters, corresponding to two 7-character hashes. NTLM has improved this somewhat by using all 14 characters to store password hashes. While it does make life easier, the NT dialog box limits the password to a maximum of 14 characters; thus making passwords exactly 14 characters long are optimal for security.

But everything is different in newer Windows versions... Windows 2000 and XP passwords can be up to 127 characters long, so 14 characters will no longer be the limit. Moreover, one small circumstance revealed to Urity at SecurityFriday.com is that if the password is 15 characters or more, Windows does not even store LanMan hashes correctly. If your password is 15 characters or more, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as an LM hash, which is equivalent to a zero password. And since your password is obviously not null, attempts to crack this hash will get you nowhere.

With this in mind, using passwords longer than 14 characters might be good advice. But if you want to make it mandatory to use such long passwords using group policy or security templates, then you run into difficulty - nothing will give you the opportunity to set the minimum password length more than 14 characters.


Myth number 4... J0hn99 - Good password

Although the password "J0hn99" meets the complexity requirements of Windows 2000, it is not as complex as it seems at first glance. Many password cracking programs try millions of words per second. Replacing the letter "o" with the number "0" and adding a couple of numbers is nonsense for such programs. Some crackers even test a set of methods that users typically use, allowing them to brute-force even fairly long and seemingly good passwords.

The best approach is to be less predictable. Instead of replacing "o" with "0", try replacing "o" with two "()" characters, as in "j () hn". And, of course, by lengthening the password, you increase its robustness.

Myth number 5... Any password can be cracked sooner or later.

Although any password can be cracked in several ways (for example, through " keylogger"or social engineering), however, there are ways to create passwords that cannot be cracked in a reasonable amount of time. If the password is long enough, it will take so long to crack, or require so much processing power, that it is essentially the same as if it were unbreakable (at least for most hackers). Of course, in the end, any password can be cracked, but this event can happen and not during our life, and not even during our lifetime Thus, unless, of course, government agencies are trying to figure out your password, then its chances may be very high. computer technology may one day make this myth a reality.


Myth number 6... Passwords need to be changed every 30 days.

Although this is good advice for some passwords with high degree risk, it is not suitable for average users. Requiring frequent password changes often forces users to create predictable patterns in their passwords or use other methods that actually significantly reduce their effectiveness. The layman does not like to constantly come up with and remember new passwords every 30 days. Instead of limiting the age of a password, it is better to focus on stronger passwords and more user competence. A reasonable time frame for the average user is 90 to 120 days. If you give users more time, it will be easier for you to convince them to use more complex passwords.

Myth number 7... You should never write down your password

While this is good advice, sometimes you just need to write down your passwords. Users feel much more comfortable creating complex passwords if they are confident that they can read it in a safe place if they suddenly forget. However, it is important to educate users on how to write down passwords correctly. A sticker on a monitor is undeniably silly, but storing your password in a safe or even a locked drawer may be sufficient. And do not neglect security when it comes time to throw away the paper with the old password: remember, many major hacks have occurred precisely because hackers were not too lazy to look through the garbage of the organization in search of recorded passwords. It might be an idea to allow users to store their passwords in software password storage utilities. These utilities allow the user to store multiple passwords in one place, protected by a master master password. But if someone finds out the master password, they will have access to full list all passwords. Therefore, before allowing users to save passwords in such a place, consider the following dangers: firstly, this method is software, and, therefore, vulnerable to attack, and secondly, since everything here is based on one master password, it can become the only point for the global failure of all passwords of all users. The best practice is to combine technology, physical security, and company policy.

Besides, passwords just need to be documented. There is nothing unusual about a situation where System Administrator got sick or quit. And in a number of organizations, this is the only person who knew all passwords, including the server password. So sometimes you even have to approve of writing down passwords, but only when it is really necessary and thoughtful.


Myth number 8... Password cannot contain spaces

Although most users do not use this, Windows 2000 and Windows XP allow the use of spaces in passwords. In fact, if you can see such a symbol in Windows, then you can use it in the password as well. Therefore, a space is a perfectly valid password character. However, since some applications trim spaces, it's best not to start or end the password with a space.

Spaces make it easier for users to create more complex passwords. Since the space can be used between words, its use can give users a real opportunity to use long passwords of several words.

In general, the situation with the space is very interesting, it does not fall into any category of complexity requirements Windows password... It is neither a number, nor a letter, and does not even count as a symbol. Thus, if you want to make your password more complex, then the space is no worse than any character and in most cases does not reduce the complexity of passwords.

But I would like to say about one significant drawback associated with the use of the space bar - its key emits a unique sound when pressed, which cannot be confused with anything. It's not hard to hear if someone is using a space in their password. In general, use spaces, but don't overuse them.

Myth number 9... Always use Passfilt.dll

Passfilt.dll is a library that forces users to use strong passwords. In Windows 2000 and XP, this is done through the "Password must meet complexity requirements" policy. While this is often a good policy, some users may find it frustrating when their passwords are rejected as not strong enough. Even experienced administrators sometimes have to enter multiple passwords until one of them passes the complexity requirements. Frustrated users will certainly not express support for your password policy.

If you can see that users don't like the difficulty requirements, perhaps the best way out there will be a requirement for long passwords instead of this policy. If you do the math, you can see that a 9-character lowercase letter password is about the same complexity as a 7-character password that uses both lowercase and uppercase letters and numbers. The only difference is how the password cracker handles different subsets of characters; some brute force crackers iterate over all lowercase letter combinations before using numbers and other symbols.

Another option is to take the Platform SDK sample in the \ samples \ winbase \ Security \ WinNT \ PwdFilt \ directory and modify it to be more lenient in choosing a password.

You can also educate users on how to complicate passwords and give them a few ideas for doing so.

Myth number 10... Use ALT + 255 for the strongest password

Consider using large ASCII characters to further complicate the password. These characters cannot be naturally typed on the keyboard, but are entered by holding down the ALT key and typing the ASCII code on the numeric keypad. For example, the sequence ALT-0255 creates a character.

While this is useful in some situations, the disadvantages should also be considered. First, holding the ALT button and typing on the numeric keypad can be easily spotted by outsiders. Secondly, the creation of such a character requires five keystrokes, which must be remembered and subsequently entered each time you type a password. It might make sense to create a password five characters longer, which would make your password much stronger for the same number of keystrokes.

For example, a 5-character password generated from large ASCII characters will require 25 keystrokes. Given 255 possible codes for each character and a total of five characters, we get a total of 255 ^ 5 combinations (or 1,078,203,909,375). However, a 25-character password created from only lowercase letters has 26 ^ 25 (or 236,773,830,007,968,000,000,000,000,000,000,000) possible combinations. It is obviously better to create longer passwords.

Another point to think about is that the keyboards of some laptop computers make it difficult to input from numeric keypad and some utilities command line do not support large ASCII characters. For example, you can use the ALT + 0127 character on Windows, but you cannot type it at the command line. Conversely, some character codes such as Tabs (ALT + 0009), LineFeeds (ALT + 0010), and ESC (ALT + 0027) can be used when typing from the command line, but cannot be used in dialog windows windows(which may be a desirable side effect in some rare cases).

However, there are a few cases where the use of extended character codes is useful. If you have service or local admin accounts that are rarely used, sometimes using extended characters deserves a few extra keystrokes. Since few password crackers are configured to handle extended characters, this may be enough to make a password extremely difficult to crack. But in this case, do not stop at the big ASCII code: there is a little-known fact that in reality you can use the full set of Unicode characters, which is 65,535 possible characters. However, a character such as ALT + 65206 is not as stable as the equivalent number of keystrokes using regular characters.

Finally, consider the use of non-breaking space (ALT + 0160) in the wide character set. This symbol is displayed as regular space and can often deceive those who somehow saw your password. For example, let's say that a cracker was able to install a keyboard logger on your system. If you use a non-breaking space in your password, it will look like a regular space in the log file. And if the cracker does not know about non-breaking gap and doesn't see a valid ASCII code, then his password, which he hoped for, won't give him anything. But many people simply do not know about the existence of this symbol, although it seems that after reading this article they will already know.

Conclusion

Someone may disagree with some of the points presented, but they do not pretend to be the ultimate indisputable truth. That was not the purpose of this article. The myth is half true. Many of the myths that are criticized here were once excellent advice, or even still are in specific cases. But for many, these tips have become a set of rigid, immutable rules that must always be applied. But any advice about passwords, including those given in this article, is nothing more than just advice. It is up to you to decide which rules are right for you and which are not. Perhaps the biggest and most flawed myth of all is that there are strict rules for passwords.

Sometimes John99 is a good password, and sometimes passwords have to be changed much more often than once a month. Some passwords, for example, administrator passwords, need much more protection than others - user passwords. To create a password policy that protects you in the best possible way, you should take all your knowledge and add to it what you find useful from what is written here.

A good password is more than just a strong password. A good password is one that is extremely difficult to guess or guess, but very easy to remember. It should be long and consist of letters, numbers and symbols, but at the same time it should be easy and accurate to type. It should contain random elements that only a computer can provide, and at the same time remain akin to what a person can create.

But the best of all passwords is the one the user chooses based on scientific understanding of the password creation system. And the best password policy is one that helps users create such passwords.

It is no secret that most people use passwords that are not very hard to crack. These are dictionary passwords that consist of commonly used words or phrases. These are legendary keyboard shortcuts qwerty, 12345, asdfg and others. These are common Russian words typed in a different layout (for example, password = gfhjkm, etc.).

To a greater extent, the burglary resistance of a password depends not on its complexity, but on the authorization system. In other words, the password zaika88 is more secure than [email protected]! kABB, if in the second case we have the ability to freely brute-force passwords, and in the first we get a delay between input attempts, proportional to the number of unsuccessful attempts. But the password zaika88 is much easier to guess than [email protected]! kABB at equal pick speeds.

Apple ID requires (required a few years ago for sure) to create a password with the obligatory use of special characters, the presence of numbers and capital letters. I started thinking about the complexity of the passwords used in AppleIDs.

- Most likely capital letter will be used at the very beginning of the password. It is unlikely to be used anywhere else (except for 8 = B). We are used to writing new sentences with a capital letter, so if we are asked to create a password with at least one capital letter, we will place it at the very beginning.

- A special character, in the absence of alternatives, will most likely be added at the very end of the password. But usually some letters are replaced with special characters: i =!, A = @, s = $. The signs are now different, but the letters themselves are visually similar. And the replacement algorithm is quite clear, so it does not greatly delay the hacking process.

- Mandatory digits in most cases will replace similar letters: o = 0, b = 8, t = 7, 1 = i, 9 = g. Again, the same visual "similarity" of signs. Numbers can be added at the end of a word, but this is really a kindergarten.

- Most likely, such requirements for the password (and Apple constantly says what else needs to be added to the password) will lead to the fact that the user will encrypt the most obvious words with similar methods.

What is the actual difference between Barcelona and [email protected] The difference is that the second password is accepted by the Apple service, since it meets all the "requirements" for the complexity of the password. But, nevertheless, this is still the same vocabulary word. And such "juggling" is best avoided.


The caption to the picture reads: "Complex passwords must be at least eight characters long and include uppercase and lowercase letters, numbers, special characters." Moreover, of all the repeated lines, the lowest one is not very different from the original. It is definitely not worth encrypting words with this method today.

It was worth doing in the BBS era, when computers were big and data rates were small. By the way, this very "replacement" is called "leet", there is a detailed article on Wikipedia, but you can just familiarize yourself with the list of words. Today, when the power of computers and the speed of data transfer have increased hundreds of times(and I'm not kidding), such "complex passwords" are revealed once or twice. guarantee it!