Editor's note: Through October, the Ohio University Office of Information Technology will offer information security best practices in observance of National Cyber Security Awareness Month.
Oct. 22, 2007
By Sean O'Malley
Was Ali Baba a hacker? If you consider password theft to be hacking, then the answer would have to be yes.
Computers still were centuries away when the story of "Ali Baba and the Forty Thieves" was first told, but his trick would be familiar to any modern-day hacker. Today, of course, passwords are more likely to go with login prompts and firewalls than magical cave entrances, but the basics of password security have changed little since Ali Baba first uttered "Open Sesame."
The first rule in protecting any password is to keep it a secret. Don't write your password down or tell it to others. The more people who hear or see your password, the more likely it is to be compromised.
The second rule revolves around complexity. To create a strong password, you need to choose something that is hard to guess. Keeping another person from guessing your password is fairly simple. Just avoid things like your birthday, your spouse's name or the name of your department. Creating passwords that can stand up to hacker software requires a bit more effort. In general, you should make your password at least eight characters long; use a mix of numbers, letters and punctuation marks; and avoid words that appear in any published list, including a dictionary.
Of course, for a password to be useful, it needs to be easy to remember. "Gxj34,iK$%" may be hard to guess, but it's not exactly memorable. To create a password that is both complex and memorable, start with a phrase that has personal meaning to you; then, turn that phrase into an acronym. For example, "My daughter's birthday is June 25." becomes "MdbiJ25." It's perfectly clear to you, and perfectly meaningless to anyone else.
Once you have a secure password, be careful where you use it. Having a single password for multiple servers or services can be convenient, but it puts all of your information at risk should one of those accounts get compromised. You're much better off having a different password for each login, especially if you use services like eBay or PayPal that are common targets for phishing scams.
Ed Carter, senior security analyst with the Office of Information Technology, emphasizes the importance of not using one's Oak password elsewhere. "Every quarter, we deal with at least a few compromised Oak accounts as a result of phishing scams," Carter says. "If you get fooled by such an attack," he notes, "you're much more at risk if you've got a single password for everything."
Finally, you should get in the habit of changing your password every 30 days. The longer a password stays the same, the more time hackers have to guess it.