About password security
Weak passwords are probably the most common source
of security problems. Even at home, you may expose yourself to
serious trouble because somebody may be able to hack your computer
when you browse the Internet and read/delete your files, or use your
computer to do something really nasty to the local police computer
network. Therefore, keep all your login names/passwords secure, even
at home. Once somebody logs into your computer (even as an ordinary
user), he may find it quite easy to gain root access (depending on
how well-maintained/up-to-date your system is vs. how good a hacker
Here are some examples of hazardous passwords:
No password (possible!).
The word "password" (wow, this one
is really weak!).
Your login name (The login and the password
the same? Hmm.).
Your first name or the first name of your
daughter, son, husband, wife, girlfriend, or any other first name.
The number of first names in use is quite limited--just check the
paperback book "what to name your baby". Don't assume that
a first name you think of is secure because you are from
India--Canada is really a multinational society and the typical
namelist seems to cover all kinds of first names.
Your last name or any other last name. The
number of last names is surprisingly limited! Just check the US
census data to see that your "rare" last name from the
abamamahaba island is very well represented in the US 89,000 of the
most frequent last names (e.g.,
http://www.census.gov/genealogy/www/freqnames.html). Or just check
the Toronto telephone book. Another proof that we are all one family
The nickname of your dog, wife, canary or
computer. (Very few nick names humans use, much fewer than last
Name of your favourite sports team,
celebrity, toothpaste, or detergent. Avoid names of popular soccer
teams like fire. Same with rock bands (music).
Date of your birth, social security number,
etc; Sequences of digits can be easily probed.
Name of your company, department, workgroup,
Password written in the calendar on your desk
or on the side of your computer.
A password which you also use in an insecure
public place, for example an Internet store or a mailing list. In
general, you should use different passwords for places controlled by
Any word which is in the English dictionary.
The English dictionary does not contain as many words as it might
seem. A not-so-skillful hacker can easily set a program to encrypt
all dictionary words (100,000? that's under 1 MB!) and then compare
all the encrypted strings to your encrypted password. As a matter of
fact, tools for the "dictionary attack" are readily
available on the Internet. Try the program crack yourself to find
how easy it is. Swear words or "cool" (colloquial)
expressions make the password particularly vulnerable for cracking.
Any other word, last name, first name, pet or
swear word, no matter in what language. For a cracker, to cover most
languages is only a small overhead if he already covered one. How
many significant languages are out there? 40? The cracker just
grabs a few more files and appends it to his cracking list. The
point here is that the subset of words that humans normally use if
far far below the theoretical limit of the random combination of
Any of the above with an addition of a
number/letter at the beginning or the end. "yuoping1" is
really a very weak password.
A good password is relatively long (minimum 6
characters, some experts even recommend minimum 10 characters),
contains a mixture of letters (upper and lower case, if possible),
numbers and special characters, and is changed quite regularly (8-16
Unfortunately, the better the password, the harder
it is to remember. I solved this problem for myself by taking 10
minutes to invent my personal password "scheme". Say, I
always start and end with the monkey (@) sign, and use two words
connected with an exclamation mark, the last letter of each word is
capitalized, e.g., "@whitE!housE@". Seems like an adequate
password, and it is easy to remember once I know what my password
rule is. If you are a memory genius, you may consider truly
excellent passwords generated with mkpasswd :))
The system administrator can set the password
policy (minimum length, requirement of special characters, password
expiry) through the utility included in this configuration program
(run as root):
under the menu "user
account"-"policies"-"password & account
policies". Normal users won't be able to set a password which
is too short, is a dictionary word, or does not contain the
prescribed number of non-alphanumeric characters (but root can change
any password to anything s/he likes, s/he will only be given a
Also make sure that any file that contains any
password of yours (e.g., /root/.kde/share/config/kppprc)
has proper, secure permissions so that it cannot be read by anybody.
For example, most likely you want:
If you use an "over the phone" Internet
connection for just a couple of hours a week, you may be fine even
with a relatively weak password on your system. But please really
reconsider your system security if you use a cable modem, or are
otherwise connected to the Internet for a significant amount of time.
Most computer semi-literate use amazingly weak
passwords. "Around 50 percent of computer users base passwords
on the name of a family member, partner or a pet. Thirty percent look
to a pop idol or sporting hero," reports CNN
Please note the underlined base. Appending a digit to an obvious
word hardly makes the password more secure.