Passwords revisited

Creating Secure Passwords

The other day I was once again reminded of the need to use good passwords.

A customer called and reported that one of their users could not log in.  In checking, the user was actually logging in, and then immediately being logged back out.  Digging deeper, the reason they were immediately being logged back off, was that there was no more user specific resources available for that login.  There were almost 90 processes running under the user’s login already.

They had been hacked.  Someone had connected as that user, and started a large number of processes that were scanning the Internet for more places to attack.

While this customer is normally very security conscience, they had made a big mistake, in that they had set this account up with the password being the same as the login.  This is done so commonly, that it is one of the first things that is tried by many of the automated hacking scanners out there.  It makes it easy for the user to remember, but it also makes it easy for the bad guys to get in.

Good passwords should never be the same as the login, or easily guessed.  Using the word "password" is a common mistake, for example.  Instead, a good password should be unrelated to the login, the site, or the nature of your business.  If you have a pet store, using "Doggie" would not be a good choice.  Using words found in the dictionary is not a good choice in general.  Better to use a mixture of upper and lower case letters, numbers, and special characters such as those found on the shifted number keys.

After cleaning they system, and changing the passwords, that customer has been running problem free again.

TIP: There are good password generation and management programs available – like Keepass. They will generate long, complex passwords for you.  They will fill them in automatically so you do not need to remember or type them. Remember that password length is also a measure of security. The longer the better within what the site permits.

Leave a Reply