Confessions of an Internet hacker: Stealing your personal information was hard to resist

California CPA, March, 2002 by Larry Russell

If everyone practiced safe computing and simply kept their antivirus software up to date, viruses would have a hard time propagating, and maybe the individuals who create them might abandon their unfruitful efforts.

Your First Line of Defense

IMPLEMENT SAFE PASSWORD POLICIES

Ineffective passwords are the weakest link in computer security. With workstations attached to both the company network and Internet, having a weak password policy is the equivalent of puffing a $2 padlock on a jewelry store's door. You might as well post a sign, "Come and get it."

Guidelines for Secure Passwords

The FBI offers guidelines for an effective password policy, all based on common sense. Still, many of us resist applying these rules as they tend to be bothersome. The FBI guidelines include:

* Do not write down a password on a sticky note and place on or near your computer.

* Do not use words found in a dictionary. That's right, a dictionary--any dictionary.

* Do not use words from a dictionary followed by two numbers.

* Do not use the names of people, places, pets or other common items.

* Do not share your password with anyone else.

* Do not use the default password provided by the vendor.

* Use a different password for each account.

* Change your password often.

* Use passwords with 10 characters or more, mixing alpha, numeric and special characters.

* Turn off your computer or disconnect it from the network when not in use.

The Weak Links

Passwords are one of the first lines of defense that users have to protect their systems. Unfortunately, people are not accustomed to remembering difficult passwords consisting of numbers and weird characters. A growing number of applications and Web sites that require passwords makes this problem worse. The most common work-around for this problem is that users write down their passwords and keep them in an unsecured area, like stuck to a computer screen or taped under a keyboard.

A hacker will attempt to crack a system by running a program that will guess the correct password of the target machine. These programs may contain entire dictionaries in several different languages and often contain words from pop culture such as idioms, science fiction movies and novels.

Hackers attack people's weaknesses such as a user's reluctance to remember several long and difficult to guess passwords. Once most users choose a password, they tend to use it for several accounts. When a user keeps the same password for a long period of time, it allows attackers that much more time to gain access to a system.

Tricks of the Trade

Here are some basic techniques for remembering long passwords:

* Choose a phrase that is easy to remember, such as "Tastes Great and Less Filling."

* Pick a familiar number, such as a phone number, (800) 922-5272.

* Interlace the first letter of each word in your phrase with the last five digits of the phone number to create a password such as t2g5a217f2.

This method creates a password that won't be found in any dictionary and is unique to the person who created it.