United States
Understand IP addresses even if you're not a math major
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

Pass the Word: Strengthen Your P@s$w0rDs

by Julia Christensen, Staff Editor, http://www.watchguard.com

Companies typically provide strong physical security for their computers (e.g. locked server rooms), but sometimes overlook guarding against entry via their network. Similarly, at home people make a point of locking their doors, but neglect the security hole that their connection to the Internet creates, via their modem connection or DSL line. A good network security policy includes pass phrases to lock-down your Firebox--your doorway to the Internet--creating a virtual locked door. And the better your pass phrase, the stronger the lock.

Strong pass phrases are especially important on the WatchGuard Firebox. A weak, easily guessed, or compromised Firebox password can make even the most aggressive Firebox rule set irrelevant, and expose the entire enterprise.

A Good Pass Phrase Is Hard to Find Out

While no pass phrase is un-crackable given enough time, the better the pass phrase, the longer it will take to crack. Simple pass phrases can be cracked with a little time and a computer able to make repeated guesses. Your aim is to use a pass phrase that takes so long to crack that the attacker becomes frustrated and moves on. Following that logic, avoid using pass phrases that are easy to guess.Pass phrases that are easy to guess include:

  • Words, names or numbers that have some reference to you and can be discovered. For example: Your license plate number, birthdate, pet's names, children's names and birthdates, anniversaries.

  • A word that a "shoulder surfer" - someone watching you type the password - could easily repeat. Example: qwerty, poiuyt, 123456.

  • Words or names that a computer program could match by trying obvious searches, such as:

    - Any word in a standard dictionary

    - Company or organization names (especially your own)

    - Famous names

    - Proper names

    - Any of the above written backward

    - Any of the above with a number or single character inserted at the end or beginning

    - Any of the above in a foreign language

  • Short pass phrases, since this lessens the number of tries needed to decipher the phrase.

  • Pass phrases used as examples in documentation about pass phrases.

  • Pass phrases that obviously refer to what they are used for, such as, "read", "write", "readwrite", "ro", "rw", etc. And no, you are not the first to make your password, "password."

  • A simple combination of some of the above, for example, "WatchGuardro".

Other Password Pitfalls

Even if you've devised a pretty tough pass phrase, these common mistakes can still make an attacker's job easy:

  • Using the same password on multiple systems. If the password is cracked, then all your systems are compromised. At minimum, try modifying a base password for each.

  • Writing a password down. Two-thirds of all computer security breaches are inside jobs, so never assume it's safe to leave a sticky note listing passwords on your computer, at your desk, or in a drawer. If you must write something down to help you remember, disguise it by changing the words around in some fashion or by burying it in a grocery list. This keeps the pass phrase obscure. Never store your user name or other required login information on the same piece of paper or file as the pass phrase itself.

  • Sending a password where it can be read. A pass phrase sent in an e-mail that is not encrypted can be snooped by a cracker. Store only encrypted pass phrases on the computer.

Elements of a Good Pass Phrase

Generally, people choose and use poor pass phrases because they're easy to remember. In order to be useful, a good pass phrase should be obscure to all but the owner of the account. The best pass phrase has these characteristics:

  • It can be remembered

  • It can be typed easily and quickly

  • It won't easily be spotted by a shoulder surfer

  • It is long enough to be secure

  • It is complex enough to withstand multiple guessing attempts

  • It has upper and lowercase letters

  • It has numerals and/or other non-letter characters

How can you create a password that is obscure to others, yet memorable to you? Try creating your own acronym (e.g. Ilw@Hdth for "I love working at home during the holidays"). Or, take a phrase that you can remember, and then strengthen its obscurity by replacing some characters (e.g. change the simple, memorable phrase "I'm for eating!" to the pass phrase Im4e@tin9!).

A pass phrase is only secure while it remains unknown to others. A secure pass phrase is one element in a good security policy, and one more opportunity to lock your door to a potential network compromise. Deadbolt that door with a good strong pass phrase, and would-be attackers will find it more appealing to pick on $om3b0dy EL$e.