A password is a string of characters that is used to access information on a computer. Passphrases are long passwords that improve safety and contain many words that make up a phrase.
Passwords and passphrases allow you to exclude unauthorized access to files, programs and other resources.
When creating a password or passphrase, make them reliable so that they are hard to guess or hack.
It also doesn't hurt to use strong passwords for all accounts on the computer. If you are using a corporate network, your administrator may require you to use a strong password.
Note: IN wireless network secure key WiFi access Protected Access (WPA) supports the use of a passphrase. The passphrase is converted into a key that is used for encryption (this process is invisible to the user). additional information For WPA security keys, see What are the ways to secure a wireless network?
What makes a password strong
Strong password: |
Strong passphrase: |
|---|---|
|
|
Strong passwords and passphrases contain characters that fall into four categories:
The password or passphrase can meet all of the above requirements and still be unreliable. For example, V7 Vaccinated! meets all the characteristics of a strong password, however, it is not strong, as it contains a whole word. Password Priv1t At 7! is reliable option- in the word, some letters are replaced by numbers, and the password itself contains spaces.
How to remember a strong password or passphrase:
Create an acronym from a block of easy-to-remember information. For example, pick a phrase that makes sense to you, like My son's birthday is December 12, 2004. Guided by this phrase, you can create a password like Dnms12/Gr, 4.
Replace letters or words with numbers, symbols and misspellings in an easy-to-remember phrase. For example, My son's birthday is December 12, 2004 can turn into DnN @ r M0g0Sun @ 12124(You can't use spaces in passwords.)
Associate the password with a hobby or favorite sport. For example, I like to play badminton can turn into Love #8B @ dm1nt () n.
If you want to write down the password so you don't forget it, don't mark it as a password and keep it in a safe place.
Passwords using ASCII characters
You can also create passwords and passphrases containing extended ASCII characters. Using extended ASCII characters will help secure your password or passphrase by increasing the number of characters you can choose to create a password.
Before using extended ASCII characters, make sure the password or passphrase is compatible with the programs you use at home or at work. You should be careful about using extended ASCII characters in passwords and passphrases if your company uses multiple operating systems or different versions of Windows.
Additional ASCII characters can be found in the character table. Some additional characters ASCII should not be used in passwords and passphrases. Don't use a character unless a keyboard shortcut is specified for it.
Windows passwords can consist of significantly more characters than recommended above (eight). In fact, the password can contain up to 127 characters.
However, if you are on a network that also has computers connected to Windows control 95 or Windows 98, use a password that does not exceed 14 characters. If the password is longer than 14 characters, you may not be able to log on to the network from computers running these operating systems.
Hello dear readers of my blog!
Today I would like to tell you about how to guess the right password.
When registering on many sites, I saw that everywhere there are different requirements for access codes. Based on this, I developed the perfect formula for creating a password. It will be different on almost all sites, but at the same time, you will remember it and will not forget it! 🙂
Why is it important to make them different?
Before I start creating a password, I would like to say a few words about the importance of having different passwords.
One password for all web services is convenient, but dangerous. After all, it can be stolen not only by the administrators of the sites on which you are registered, but also by hackers.
Knowing him, it is not difficult to find out personal information, get any secret data and documents.
Having gained access to your mailbox, you can change or recover passwords from other resources. Or to correspond on your behalf. Therefore, I recommend that you take this matter seriously. In addition to creating, I advise you to change it periodically or, if possible, connect sms confirmation of entering your account. For example, how it is implemented in VKontakte. What's more, it's free 🙂
We come up with a password (for example, for public services)
List of requirements suitable for many sites:
- It must be at least 8 characters, as I've noticed that some sites require this length;
- You must use at least one number;
- At least one letter is capitalized;
- Use the first 2 letters of the site name in the password (this is necessary so that the password is always different);
- Use a punctuation mark. It's optional, but if it is, then it's good.
Perfect password
Let's say we need to come up with a password for the Mail.ru website.
Let's choose a punctuation mark, let it be - "!".
Let's take the first 2 letters of the site, the first letter will be capitalized - "Ma".
There are 5 more characters left. I can advise you to use the last 2 digits of your year of birth. Let's say "90".
There are 3 characters left. It's already your choice. You can enter your name. Let's say "baa".
In total, we get a password - !Ma90baa
For yandex.ru, it will be - !Ya90baa
For rambler.ru - !Ra90baa
For vk.com - !Vk90baa
For skype - !sk90baa
It is not necessary to write in the same order as mine. You can change the characters in places, as you like, as it is easier for you to remember. For example: Sk90baa!, Skbaa90!, 90Skbaa!, 90baaSk! etc.
You can choose any number of digits in the password, at least 5, it's up to you. Or you can add numbers to the end, and 3 letters in front of them.
Well, that's all 🙂 Now you will have passwords from all your accounts and will never forget them. 😎
One of the most significant security concerns in an organization is passwords for sensitive user accounts. Even if you carefully plan and configure your security settings group policy, including firewall settings in mode increased security, deploy antivirus software and keep your system and antivirus software up to date, set up IPSec policies, deploy network access protection servers, and your user accounts don't have strong enough passwords, the security of your entire company could be at risk.
Of course, you can, and even should, use Group Policy to set a limit on the creation of complex passwords, set interval for blocking account in case of incorrect password entry, and set up audit policies to analyze failed login attempts. But even passwords that operating system will be considered complex (that is, the password will be longer than a certain number of characters, the password will contain uppercase, lowercase characters, and numbers) may actually be vulnerable and easy for attackers who will crack them. It is this stage of ensuring the security of your company that may be the most difficult for you, since here your participation plays only a mediocre role, and any negligent attitude on the part of your users can have a lethal effect on the infrastructure of the entire company. In other words, in this case, you need to try to get your users to create secure passwords, remember them, change these passwords periodically, and also keep these passwords to themselves, which, in fact, can be much more difficult than planning an organization's infrastructure, as well as deploy and maintain servers with appropriate server roles.
In this article, I will talk a little about the reasons for which passwords cannot be created, as well as exactly how you need to create passwords for your accounts. Let's consider everything in order.
Password Cracking Methods
One of the most common attack methods on any infrastructure is cracking the passwords of users who are authenticated in order to gain access to the organization's internal network. Accordingly, if an attacker gains access to a user account, he will be able to access any internal documents of the company and other protected information. In addition to user accounts to access the internal network of the organization, attackers also often try to hack email accounts, social networks, blogs and other things. Therefore, users should be advised not to use the same password for all of their accounts, much less a simple password.
In principle, there are many methods for cracking passwords, but this article will briefly cover only the main methods that are most common in our time. These methods include logical guessing, dictionary search of passwords, brute force (or brute force), as well as the most serious method - the use of the human factor.
logical guessing
This method is the simplest, and usually begins with a logical password guess. For example, an attacker might try to guess the password of your users by knowing your user's first name, last name, and, say, their year of birth. For example, if a user creates a password like “Last name + year of birth” or a login in reverse order, you don’t have to worry too much, such a password will be cracked in a few minutes.
Dictionary search of passwords
Since many users like to specify one word as passwords for any of their accounts, be it the name of a volcano in Iceland or the name of a favorite rabbit, and, at most, add one digit to such a password, attackers can crack such a password using pre-selected passwords , which are loaded from special dictionaries. Such dictionaries usually include words from different languages that may be used by inexperienced or security-indifferent users. Password guessing using this method, usually does not take much time and an attacker will be able to access your users' data in just a few hours. And since there are a lot of such dictionaries on the Internet, you should immediately explain to users that they should not use such passwords, since not only their social network account, but the entire infrastructure of the enterprise may suffer.
Another technique related to dictionary traversal is called password hash table traversal. This method is used when the attacker was able to determine the hashes of the passwords and all he has to do is find a password in the database that will fully match the given hash.
brute force method
The brute force method or complete (direct) enumeration differs from the previous method in that when selecting a password, not a specific dictionary is used, according to which a simple password can be selected, but a large number of any possible combinations. In this case, as you understand, everything depends only on the complexity of the password and the number of characters. I think many of you have seen the following table, based on which you can roughly estimate the complexity of the generated passwords, given that the passwords will contain only letters of the same register with numbers and the brute force rate is 100,000 passwords in one second:
|
Number of signs |
Number of options |
Search time |
|
less than a second |
||
|
less than a second |
||
|
less than a second |
||
|
2,821 109 9?1012 |
11 months |
|
|
1,015 599 5?1014 |
||
|
3,656 158 4?1015 |
||
|
1,316 217 0?1017 |
||
|
4,738 381 3?1018 |
1,505,615 years |
Accordingly, a password with a length of at least eight characters can be considered a more or less strong password. Since when writing this article, the main task was to consider methods for creating strong passwords, it will not consider the means of implementing password brute force brute force.
Using the human factor
Despite the fact that no technology is used when using the human factor, this method is in most cases considered the most effective and sometimes even the fastest, since in this case, attackers receive passwords illegally from the users themselves, and the latter can even don't suspect. First of all, when using this method of obtaining user passwords, the attacker usually finds out the names of the employees of the organization, which he can both know initially and find on the same, say, company website, and after that, according to a scenario thought out in advance, the attacker can get almost any data from users. There are a lot of methods for obtaining user passwords using the human factor. Briefly consider the main methods:
· Phishing. It is a fairly common method of obtaining the necessary information from users. The term phishing itself comes from the English word fishing, which translates as fishing and is a type of fraud, the main task of which is to gain access to users' confidential data. The attack itself occurs as follows: the user receives a letter to the mailbox, say, from a bank, where the user is offered, by clicking on the link provided, to change his password on the site in order to ensure security. In fact, such a link leads to the hacker's website with a page that is very similar to the bank's page, and when you try to change your password, the password will be sent to the attacker;
· Infecting computers with Trojan horses. As you know, a Trojan horse is called malware, which is distributed by intruders, with the help of which he can access data, depending on what task he has set for himself. In turn, user passwords are no exception;
· Qui pro quo. This method comes from the Latin expression qui pro quo (one for the other), which also means a misunderstanding resulting from the fact that one person, thing or concept is mistaken for another. In the case of password theft, this method involves a call by attackers to the company. An attacker can pose as a technical specialist and learn about vulnerabilities that may be in the organization and take advantage of them. Or just find out user password by phone;
· Pretexting. This method is the easiest. By and large, using this method of stealing a password, an attacker may even be, to some extent, far from hicking, since in this case, actions are performed that are worked out according to a pre-compiled pretext or, more simply, a scenario. He can begin to communicate with the user on some website, by means of correspondence e-mail, UIM messengers, etc. For obvious reasons, this method can take much more time than all of the above, but, nevertheless, it is also in demand.
The simplest method of stealing a password is shown in the following illustration:
Creating complex passwords
Most likely, you have all seen the following picture.
Here, in a rather simple and comic form, it is drawn what passwords you can create and how your users will interact with such passwords. To be honest, you can disagree with the method shown in the picture, since the second password can be cracked faster than the first one, even though it will take the attacker some time.
First of all, as I said at the beginning of the article, in any case, you need to configure restrictions on the creation of complex passwords using group policy, and such policies should be tied not to a specific unit, but to the entire domain. Of course, by setting up security policies, you will prevent the creation of passwords like "123456" or "qwerty" that users are so fond of specifying, user passwords can still be vulnerable to hackers.
For example, if you have a user named Vladimir in your sales department who was born on the 9th of a certain month, his password might well be something like "Vladimir9". As you can see, this password is nine characters long, which is likely to be longer than the default password length set by Group Policy. In addition, in given password there are letters from a different case (well, it’s not good to indicate your name with a small letter) and this password contains numbers (in this case, the user’s birthday). Accordingly, the password will meet the requirements specified using Group Policy, but it can be cracked literally in a matter of seconds.
You need to try to convince your users to create complex passwords for any of their accounts, create a different password for each account, and also store their passwords in your memory. The last two points are the most difficult, as most users are used to having one password for their account in Active Directory, and also, well, if so, having one password for mailboxes, social media, trackers, forums and so on. If you nevertheless forced your users to create a complex password, pay attention to the fact that many people like to write it down on a piece of paper and stick it to their monitor, keyboard, etc., which is unacceptable, since it is already difficult to call it a password.
How to create your own password
It is desirable that the user's password be at least 8 characters long, and that the password contains Latin letters in different registers in random order, the password contains numbers and that there are also special characters. If a password is being created for the account that will be logging into the server, then it is desirable to create passwords that are longer than 12 characters. In most cases, users rarely bother inventing such passwords. Therefore, you will need to either invent passwords instead of them, which is extremely inconvenient, because. if you have 20 users, it will take some time, but you can handle it, but if you have more than 100 users, then such a pointless task will take a whole day. And they still need to be changed periodically, because. no password can be perfect.
Therefore, you can either direct users to sites with password generators, for example, to the site http://genpas.narod.ru or to sites with similar functionality. There are actually a lot of such sites. You can also write a page on your internal web server that will provide the same functionality, which is also unlikely to take much time, even if you do not have web programming skills. And you can notify users about the presence of such a page on the site, say, using an official mailing list. Accordingly, your users will not need to spend time trying to come up with a complex password, but will only have to remember it.
You can also tell your users about simple scripts to create a complex but easy to remember password. There are hundreds of different interesting scenarios. Let's look at a few of these scenarios.
1. Take two Russian words - a verb and a noun. For example, the words "cook" and "candlestick". Add an arbitrary number, which will be divided into two parts, for example, the year of birth of your favorite writer, say 1966, and also take any special character, let it be, for example, a question mark. Now write down everything you found earlier in this order: the first capitalized word, the first two digits of the year of birth, the question mark, the second capitalized word, and the last two digits. It should look something like this: "Cook19? Candlestick66." now we will type the received password in the English layout. As a result, your user will have the following password: Ujnjdbnm19?Gjlcdtxybr66". In such a password, 23 characters turned out, moreover, it is unrealistic to pick it up by enumeration in a dictionary, and using the brute force method, the attacker will take, to put it mildly, more than one month.
2. Take any tongue twister, for example, "In the bowels of the tundra, otters in spats dig buckets of cedar kernels" and take the date of birth of the user's great aunt, say October 29, 1957. Now write down each first letter of each word on English language, moreover, write down every second letter in uppercase and put one number between some words, and put an exclamation mark at the end of the password. It should look like this: " vN2tV9vG10tV19vY57k!". Again, such a password will be very difficult to pick up.
3. Take any line of your favorite poem, for example, "It's not without reason that all of Russia remembers Borodin's day!" and write down two letters from each word on the English layout, and for each new word, indicate the letter in upper case. At the end, you can put your birthday. For example, in this case it should look like this: YtGjDcHjGhLt
4. Take a difficult word that you remember, but that this word is not often used in colloquial speech. For example, let's take a word that is embarrassing not to know, namely the name of a volcano that erupted in Iceland in 2010, namely: Eyjafjallajökull. There are 16 letters in this word, so we insert the year of the event after the 8th letter, i.e. 2010 and write all the words, as in the previous examples in the English layout. We get the following complex password: ”qzamzlk2010fq`r.lkm».
There are many more interesting scenarios to come up with. Most importantly, such passwords are not difficult to remember and are considered complex.
There are many ways to check the complexity of the created password. For example, Microsoft has a password checker that will let you know how strong your generated password is. To do this, go to the password checker page and enter your password in the corresponding text box. You will immediately receive a notification that will indicate the type of complexity of your password. An example of this tool is shown in the following illustration:
Conclusion
This article has covered methods for cracking user passwords, as well as how you can create a password that is difficult to crack but fairly easy to remember. I hope that with the four simple examples in this article, you will be able to teach your users how to keep their data safe and how to create complex passwords. What scripts do you use to generate complex passwords?
Only at first glance, impenetrable passwords do not contain a logical structure and look like abracadabra. Complex passwords are such only for those who do not know the recipe for their creation. You do not have to memorize letter case, numbers, special characters and their order. It is enough to choose a memorable base and follow simple tips for creating strong passwords.
Children's counting rhymes
We take any nursery rhyme or rhyme as the basis for the password. It is desirable that it be found only in your area and not be well known. Better than your own writing! Although any children's rhymes will do, the main thing is that the lines are firmly planted in your head from a young age.
The password will consist of the first letters of each word. Moreover, the letter will be written in uppercase if it is the first in the sentence. We replace some letters with numbers similar in spelling (for example, “h” to “4”, “o” to “0”, “z” to “3”). If you don’t want to get too confused with replacing letters with numbers, look for a rhyme that already contains numbers. Do not forget about punctuation marks that separate words and sentences - they will come in handy.
Example:
Turtle tucked its tail
And she ran after the rabbit.
Got ahead
Who does not believe - come out!
We replace the letters "h", "z" and "o" with similar numbers. The second, third and fourth lines start with capital letters and are therefore written in upper case. We include four punctuation marks. Of course, we write in Russian letters, but on the English keyboard layout.
17-character password is ready! It may not be perfect, as it contains repeated characters, consecutive lowercase letters, and numbers. But to call it simple certainly will not turn the language.
Favorite sayings
The scheme is similar to children's counting rhymes. Only as a basis you take your favorite and very memorable phrases of thinkers, celebrities or movie characters. You can complicate your life a little by replacing the letter "h" not with "4", but with "5", for example. There are never too many confusing maneuvers!
Example:
I found out that I have
There is a huge family
River, field and forest,
In the field - every spikelet ...
We replace the letter "h" with "8", do not forget about the uppercase and punctuation marks.
Ze,8evTjc^H,g,bk,Dg-rr…
Jargon and terminology
It implies the use of professional jargon, understandable to an extremely narrow number of people. These words are much more distant from the common man than the criminal sayings widely covered on the TV screen and the streets of any city.
For example, you can use a hospital discharge or a fancy medical definition.
Example:
Cyclopentanperhydrophenanthrene is a 28-letter term. It turns out to be a bit long, therefore I propose to throw out the vowels and dilute the remaining consonants with upper case.
Memorable dates
Of course, your birthday or the day you started your family life is not the best basis for a password. The event should be of exceptional importance, and only you should know about it. For example, it could be the day you first ate gum, ran away from class, or broke your heel. Since the basis of the password will be numbers, it is not superfluous to mix them with letters.
Example:
10/22/1983 and 06/16/2011
Replace the dots separating the day, month, and year with any letter, such as the small English “l”, which is very similar to the fairly common “/” separator. Between the dates we put the underscore character "_". Zeros are replaced by the letters "o".
visual key
Use the smartphone unlock technique on your keyboard as well. Think of any shape and “swipe” your finger along its contours.
Do not forget to go through the numbers, change the horizontal and vertical direction of movement. And show, unlike me, fantasy!
Conclusion
The suggested ways to create a memorable, but at the same time quite difficult to understand password from the side, can be changed and combined at your discretion. It is enough to think over your super password once, and you can use it without fear in the presence of an outsider.
How do you choose your password?
Computer security experts from the University of Cambridge analyzed the structure of more than 70 million passwords. And we found out that the most complex passwords in the world are users from Germany and Korea. And they do it naturally and naturally, without special training. And the secret of the stability of combinations lies in the specifics of their language. They use the same Latin characters, the same numbers, but they take their native “difficult” words as a basis - names, toponyms, terms, etc. For example, Annaberg-Buchholz#122. It is easy to come up with, remember these options, but picking them up is an order of magnitude more difficult compared to dictionary words in other languages.
If you, dear reader, do not know Korean or German, this, of course, does not mean that you should ignore complex passwords. They are the key to the security of your data on the Internet (in online payment systems, on websites, forums). This article will tell you what the account key must meet the requirements (what it should be) and how to create it.
Difficulty definition
Key complexity is a measure of resistance to selection at the symbol level by manual and automated methods (logical calculation, dictionary selection). It is determined by the number of cracker attempts, that is, how much time it will take him to calculate the combination compiled by the user.
The following factors affect password complexity:
- The number of characters in the key. The more characters in a sequence, the better. A combination of 5 characters has a high probability of a quick hack. But the selection of a sequence of 20 characters can take years, decades and even centuries.
- Alternating uppercase and lowercase letters. Examples: the key dfS123UYt using the case of capital letters is an order of magnitude more complicated than the same combination, but only with small letters - dfs123uyt.
- character sets. A variety of character types enhances sustainability. If you make a key from small and large letters, numbers and special characters 15-20 characters long, there is practically no chance of picking it up.
How to make stable combinations?
The following methods will help you come up with a very complex symbolic key that is easy to remember.
1. Visually create the contours of a geometric figure or any object on your computer keyboard. And then type the characters along which the lines pass.
Attention! Avoid simple "designs" - lines, squares or diagonals. They are easy to predict.
2. Make a complex sentence that defies logic. In other words, some pun:
For example: Cat Vaska caught a pike on Jupiter.
Then take the first 2-3 letters of each word from the invented sentence:
Cat + Va + Na + Jup + st + pike
Type the syllables in Latin letters:
Rjn + Df + Yf + >g + ek + oer
After transliteration, insert some numbers you know well between syllables: date of birth, height, weight, age, last or first digits of a phone number.
Rjn066Df 45Yf 178>g 115ek1202oer
That's all! As you can see, it turned out to be a rather “strong” combination. To remember it quickly, all you need is a key (pun intended) and the numbers used.
3. Take 2 memorable dates as a basis. For example, two birthdays (yours and your loved one).
12.08.1983 05.01.1977
Separate the day, month and year with some special characters:
12|08/1983|05\01|1977
Now replace the zeros in the dates with a small letter "o".
12|o8/1983|o5\o1|1977
It turns out quite an intricate key.
4. Make a special table: arrange Latin letters and numbers vertically and horizontally in the matrix, and characters in a chaotic order in rows and columns.
To generate a key, take a few simple words, written in English letters, for example, my password is very strong
Take the first couple of letters. In our case it is "my". Find "m" in the vertical list, "y" in the horizontal list. At the intersection of the lines, you will receive the first character of the password.
In the same way, by means of the following pairs, find the remaining characters of the key.
If you forget your password, use the simple keyword and table.
How to check password strength?
The resistance of a symbolic combination to selection can be found on special web services. Consider the most popular:
Online service from antivirus laboratory Kaspersky. Determines, from the character set and length of the key, how long it will take to crack it on various computers. After analyzing the sequence, the statistics show the time to search on the ZX-Spectrum (the legendary 8-bit machine of the 80s), Mac Book Pro (2012 models), the Tianhe-2 supercomputer, and the Conficker botnet network.
Online utility on the huge service portal 2IP.ru. After sending the key to the server, it gives its status (trusted, untrusted) and the time spent on cracking it.
Loading...