VERY good advice about your password. Originally sent on STaTus BBS, and reprinted here by permission of the author. Message : 9359 [Open] 3-31-91 9:40am From : Murray Moffatt To : Jon Clarke (x) Subject : #9344 hi Sig(s) : 1 (General) Speaking of passwords, I think it's probably a good idea that someone should advise our new (and not so new) users on the art of picking passwords. Anybody volunteer? Speak now or forever hold your peace? No? Ok, I'll take it on myself to do this. Your password is the only thing that stands between you and some nasty haker-type person. Your username is common knowledge to everybody that uses the system, so you must keep your password secret. This means not telling people, or lending it to people, or writing it down and sticking it to your screen, or anything like that. It also means that you must choose your password carefully. Recent experiements have shown that 25% of people choose passwords that can easily be hacked. The method that is most often used to hack a password is called the 'dictionary hack'. The hacker gets a dictionary and goes through it trying each word as the password. Of course he doesn't do this by hand, he writes a little prog to do it, and the dictionary is a file of words. So, if you use a word that is found in the dictionary, you'll be found out. Just stop for a second and think if any of your passwords are words that are found in the dictionary? So, how do you combat this? Simple, don't choose words from the dictionary! But at the same time it's not a good idea to use dates, number plates, phone numbers, etc. The best ways are to make us words. Simply string two or more words together to form a new word. For example, BLADE and RUNNER may be in the dictionary, but I'll bet that BLADERUNNER or BLADE-RUNNER or BLADE.RUNNER isn't! You can also use the initial letters from words of a phrase. For example, Three Blind Mice Ran Up The Clock would translate to a password of TBMRUTC. Looks like a nonsense word, doesn't it? But it means something to you, you just have to remember the phrase. Also, remember not to use the same password on different systems. I know that this is a hard thing not to do, but try to have different passwords on each board you use. And change the passwords regularly. Where I work all the passwords expire after 30 days, and you're forced to enter a new one. Some systems, like IBM systems, remember the last 5 or so passwords that you've used, and won't let you re-use them. They also force you to have at least one digit in the password and other things as well. Oh, and one last thing. There are a whole lot of commonly used passwords. These passwords are used so often by people, that the hacker will always try these first. Heres a list that I grabbed of Usenet that someone posted of the most commonly used passwords: alt/security/ 369 From: jsax@cdp.UUCP Subject: Re: OVERUSED PASSWORDS Date: 9 Jan 91 05:08:00 GMT Nf-ID: #R:cdp:1159900002:cdp:1159900003:000:6649 Nf-From: cdp.UUCP!jsax Jan 8 21:08:00 1991 Taken from 'A Novice's Guide to Hacking- 1989 Edition' by The Mentor LOD/H Password List ============= aaa daniel jester rascal academia danny johnny really ada dave joseph rebecca adrian deb joshua remote aerobics debbie judith rick airplane deborah juggle reagan albany december julia robot albatross desperate kathleen robotics albert develop kermit rolex alex diet kernel ronald alexander digital knight rosebud algebra discovery lambda rosemary alias disney larry roses alpha dog lazarus ruben alphabet drought lee rules ama duncan leroy ruth amy easy lewis sal analog eatme light saxon anchor edges lisa scheme andy edwin louis scott andrea egghead lynne scotty animal eileen mac secret answer einstein macintosh sensor anything elephant mack serenity arrow elizabeth maggot sex arthur ellen magic shark asshole emerald malcolm sharon athena engine mark shit atmosphere engineer markus shiva bacchus enterprise marty shuttle badass enzyme marvin simon bailey euclid master simple banana evelyn maurice singer bandit extension merlin single banks fairway mets smile bass felicia michael smiles batman fender michelle smooch beauty fermat mike smother beaver finite minimum snatch beethoven flower minsky snoopy beloved foolproof mogul soap benz football moose socrates beowulf format mozart spit berkeley forsythe nancy spring berlin fourier napoleon subway beta fred network success beverly friend newton summer bob frighten next super brenda fun olivia support brian gabriel oracle surfer bridget garfield orca suzanne broadway gauss orwell tangerine bumbling george osiris tape cardinal gertrude outlaw target carmen gibson oxford taylor carolina ginger pacific telephone caroline gnu painless temptation castle golf pam tiger cat golfer paper toggle celtics gorgeous password tomato change graham pat toyota charles gryphon patricia trivial charming guest penguin unhappy charon guitar pete unicorn chester hacker peter unknown cigar harmony philip urchin classic harold phoenix utility coffee harvey pierre vicky coke heinlein pizza virginia collins hello plover warren comrade help polynomial water computer herbert praise weenie condo honey prelude whatnot condom horse prince whitney cookie imperial protect will cooper include pumpkin william create ingres puppet willie creation innocuous rabbit winston creator irishman rachmaninoff wizard cretin isis rainbow wombat daemon japan raindrop yosemite dancer jessica random zap ----snip-----snip----------- The Internet Worm used a lot of the above passwords in it's first password pass. After that it just used the dictionary, etc. It'd really be worth it to check this list when people change passwords. That plus 1-2 month password expire is good security. It's amazing how many people use SECRET or MODEM for their password. Not to mention using their first name.. Jon "God hates me." vector0!jon@sactoh0.SAC.CA.US "Hate 'im back, works for me." ...ames!pacbell!sactoh0!vector0!jon alt/security/ 372 From: shipley@remarque.berkeley.edu (Pete Shipley) Subject: Re: OVERUSED PASSWORDS Date: 10 Jan 91 01:58:06 GMT Organization: Processed People for a Processed America In article <1159900002@cdp> jsax@cdp.UUCP writes: > >I received this from a respondent to my article on alt.security >recently. Is your password on the list? (Tell me! Tell me!) > > These are passwords that were used by the Internet worm, and >are included in COPS. > > >aaa I person would be crazy to admit there password is on that list, because you will be able to crack that persons account in less then two minutes using telnet. Note that list is used my everyone, it is effective on non-educated users but since every password checker written in the last five years has this list (or the list the internet worm was built from) it is not as useful as it once was for password cracking. I suggest aquiring a list of female names, I have had the most sucess with those lists. My 8mm tape collection used a list of common last names, female names, male names, the worm list, /usr/dict/words (from SunOS 4.1) and the word list from Webster's 7th Collegiate Dictionary, plus a list I put together (contains default password some OS's come with). -Pete Pete Shipley: email: shipley@berkeley.edu Flames: cimarron@postgres.berkeley.edu uunet!lurnix!shipley or ucbvax!shipley or apple!nli!{root,shipley} Spelling corections: /dev/null Quote: "Anger is an energy" ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::