Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 29
Guests Online: 22
Members Online: 7

Registered Members: 82895
Newest Member: kevy90
Latest Articles

Designing strong passwords

Arrow Image This article will inform you on how to create stronger passwords.



Good evening HBH,

TechieJeff here to collaborate proper passwords. Over the span of my days securing systems, I have seen my fair share of dreadful passwords. You may be wondering if your password is lousy at the moment. When I say despicable or inadequate password, I mean a brute force application or dictionary attack could easily crack these passwords.
We will start off with the types of attacks against your passwords.

1.) Brute Force Ė Every single possible combination of characters (aaa,aaA,aAA,AAA,aabÖ)
2.) Dictionary Ė Enter passwords from a text file (a dictionary) example: Common_Passwords.txt
3.) Hybrid - A variation of the Dictionary approach, but accounting for common user practices such as alternating character cases, substituting characters ("@" in place of "A", etc), using keyboard patterns ("1QAZ", etc), doubling passwords to make them longer, or adding incremental prefix/suffix numbers to a basic password ("2swordfish" instead of "swordfish, etc) example: M@ry_Brunst3r
4.) Shoulder Hacking - In this attack, quite simply, an attacker will 'peak' over your shoulder to watch your password being typed. A simple circumvention of this type of attack would be self-awareness and knowing if someone is behind you.

Now that we have covered the types of attacks, we will discuss circumvention of them as well.

Creating a good password - 101:
1.) Today's standard is around nine characters long. If someone decided to attack a nine characters' long password, it would take him or her a decent amount of time, since there is about 1000 million different combination in a nine character long password. So think of it this way; The more characters', the harder for the attacker.

2.) Including numbers - A simple and easy password, usually does not contain numbers. If you want a hard-to-guess password, include at least four numbers.

3.) No formation of words - Dictionary attacks (as read above) take 'WORDS' out of a text file. Therefore if your password is theoretically not a word, it cannot be cracked easily. What I mean by this is, don't have your password: John9209; have it something more complex and unreadable as: J0HN92ohnine

4.) Combination - A good password will have a mixture of: Numbers, Letters, Caps, Lowercase, and symbols. Example: J3Ff3ry-9209-IlLin0i5 (Jeffery-9209-Illinois)

5.) Make it complicated to crack, but not written down - Contrary to popular belief, many attacks actually include not guessing your password, but actually reading it off the paper you wrote down! So do not write down your passwords, only practice them in your head. If you must write them down, put them on a small piece of paper, in a abstract sock drawer and only keep it for as long as you need it (until you can remember it by heart).

6.) Don't fall for social engineering - Many attackers, per-say on IM will ask you for example: "What are some good passwords?", this may seem harmless at hand, but if you fall prey to it, he can then tell what types of passwords you use, to help him configure his brute force.

7.) Repetitiveness killed the cat? - Using the same password for more than one account, is very dangerous. You are practically asking for trouble. We all let down our defense sometimes, so if you do mess up, contain the loss. Say you use the same password for MySpace, as you do your email. Well if the attacker cracks your MySpace password, he can then snoop your email and tamper with information.

8.) The good 'old text file - Saving your password on your desktop is ignorant. You already may have someone trying to attack your password at this moment, and if he can gain access to your system via a vulnerability, then he can simply read your files for sensitive information - And yes, there are intelligent programs that can do this (search for keywords)

Here is a few tips to think about when creating a password:
* Donít use a password that is listed as an example or public.
* Donít use the same password you have been using for years.
* Donít use a password someone else has seen you type.
* Donít use a password that contains personal information (names, birthdays or dates that are easily related to you)
* Donít use words or acronyms that can be found in a dictionary.
* Donít use keyboard patterns (qwerty) or sequential numbers (12345).

So with that, I leave you with a few examples of well-thought out passwords. I do not recommend on using these, I simply want you to understand a good password.
[name]+[birth_year]+[current_year]+[initials]+[random_string]+[animal_name]
Jeff-9309_BinaryGrady
Simple_Man-2009_JJF_9309-Phew!
If I can remember them, so can you :)

Please keep checking for new articles of mine. I hope that helps! Happy early Christmas!

Sincerely,
Jeff

Comments

stealth-on December 17 2009 - 04:21:00
It was decent. Very well presented, however it wasn't that great of content. Things like this should be obvious (but I guess they apparently aren't, if we are making articles like this). I'd rate this good. Hopefully the next one is just as well presented, but with something more interesting Smile
Compromiseon December 17 2009 - 11:51:20
>Donít use a password that contains personal information
midoon December 17 2009 - 14:25:01
Very nice and approachable article for the very-beginners Smile. Well written. Waiting for your next contribution Wink
Compromiseon December 17 2009 - 22:23:26
Okay, Jeff, this is what you need to know. Charsets, right? We've got abc, ABC, abc123, abcABC123 and abcABC123+unusual characters. Now, be sure to include each of those. For example: "dgLE499@#!:". Also, length. But that's a given. 10+ will do most of the times, 12+ is really good and 16+ is just madness. 24+ if you wanna go tinfoil hat.
korgon December 20 2009 - 02:02:24
Boring as hell if you ask me. I never would have let this one slide through. Angry
maugon December 20 2009 - 09:43:51
At least it's short. Everyone reads this same thing at some point, It could have been shorter.
Network Xon December 22 2009 - 20:59:33
Very Good Article actually
poeon December 23 2009 - 05:54:45
Not a bad (nor a boring) article. Simply for the fact that a lot of people still use passwords that this article otherwise suggests against using. I picked up some useful information, and will probably be making new breeds of passwords from now on.
korgon December 24 2009 - 05:15:20
MoshBat two words: no shit. Shock
Mtutnidon October 29 2010 - 14:06:27
:ninja: I am a ninja, I will assassinate this article.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.