Webbie's Note About Passwords
Using Strong Passwords
Security is always a big concern on a server that is shared by many users, as our servers are, and strong passwords are the key to keeping out unwanted miscreants. You should always use a non-word as a password. By non-word we mean something that is not a single word that can be found in a dictionary, such as 'puppy'. That would be a horrible password. Why? Say you chose it because you just got a new puppy. It is easily associated with you. We've all seen the movies - someone sits down at someone else's computer and thinks about what the person would have used as their password, guessing it after trying a few words that relate to that person. It's easier than you think!
So, what Makes A Good Password?
Here are some general guidelines and hints at making a great password for yourself.
- Make your password eight (8) or more characters long. The longer the better since we're protecting against Dictionary Attacks (see below) and the more combinations someone has to try, the harder it is to crack a password.
- Mix numbers and letters together within your password. It's much harder to guess a password when you have the 26 possible letters AND 10 possible numbers (0-9) that could be used within your password.
- Mix text cases up as you go. Passwords are case-sensitive. Even if you chose a word like 'puppy', when you use 'pUpPY' it's much harder to guess than the simple, all-lowercase version. If you think about it, you'll understand how it makes guessing harder. There are five letters in the word 'puppy'. Each one can be either upper or lower cased. That's 25 different combinations it could be. Mixing cases makes it a little harder to guess the password.
- Throw in a punctuation mark. In most cases they're okay to use! Toss in an equal sign, an exclamation point or a tilde. You can greatly decrease your chances of a successful dictionary attack against a password that contains some punctuation marks.
- Think of a phrase you can easily remember. Now take the first letters of each word and make your password.
Let's try an example. I was thinking of a phrase - "Here Comes Peter Cotton Tail". Take the first letters and it would be 'HCPCT'. Mix the case up for this: 'HcPcT'. Now add some numbers, here I choose '04' representing April, since that's the month old Peter comes around. Now I have 'HcPcT04'. To take it one step further I add a punctuation mark. Now my password is 'HcPcT#04'. It's eight characters long, contains numbers and a punctuation mark and is not a "word" you would find in the dictionary. This would be a fairly strong password for me to use! And, no - I didn't use it, so stop trying it. And don't you use it yourself!
What Is This 'Dictionary Attack' Stuff?
A dictionary attack is when a bad-guy takes a collection of common words, usually in a text file or database of some kind, and uses a program to cycle through that list while trying to login to your account. The program tries each and every word within the collection as your password. If 'puppy' was your password and it was in the collection of words someone was using, they have a free pass into your account! Not good!
For email, dictionary attack has two meanings actually. The second being when a spammer tries common names as your email address and floods your domain with emails that may or may not work. They try things like firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com... on and on. They might a thousand emails thrown blindly at your domain, hoping at least a few get through. This is also referred to as a 'dictionary attack' because the email names they use are also in a 'dictionary' of sorts.