CHAPTER 28 System Security
Passwords should be chosen that are difficult to guess. A study done in 1978 showed that 16% of all passwords are 3 characters or less, and that 86% of chosen passwords could be described as insecure. A more recent study showed that simply trying 3 guesses on each account: the login name, login name in reverse, and the two concatenated, would obtain access to 8 - 30% of the accounts on a typical system.
Use a password that contains mixed case alphabetic characters and numbers. It should be 6 - 8 characters long to make the number of possible combinations extremely large. For 62 possible characters in each position (26 lower case + 26 upper case + 10 digits) there are 62n possible combinations. This is 238328 for a 3 character password and 2.18*1014 for an 8 character password. In contrast, if you only use lower case letters there are 263, or 17576 combinations for a 3 character password and 2.09*1011 in an 8 character one.
Your password, though difficult to guess, should be easy to remember. If you have to write it down it's not secure. A study by Daniel V. Klein reported in his paper, Foiling the Cracker: A Survey of, and Improvements, to Password Security, (available from ftp://www-wls.acs.ohio-state.edu:/pub/security/Dan_Klein_password_security.ps.Z) emphasizes the poor choice of passwords found on many systems. The following table is from this paper regarding the passwords cracked from a sample set of 13,797 accounts solicited from the Internet.
| Type of Password | Size of Dictionary | Duplicates Eliminated | Search Size | # of Matches | Pct. of Total | Cost/Benefit Ratio |
|---|---|---|---|---|---|---|
| User/account name | 130[5] | - | 130 | 368 | 2.7% | 2.830 |
| Character sequences | 866 | 0 | 866 | 22 | 0.2% | 0.025 |
| Numbers | 450 | 23 | 427 | 9 | 0.1% | 0.021 |
| Chinese | 398 | 6 | 392 | 56 | 0.4%[6] | 0.143 |
| Place names | 665 | 37 | 628 | 82 | 0.6% | 0.131 |
| Common names | 2268 | 29 | 2239 | 548 | 4.0% | 0.245 |
| Female names | 4955 | 675 | 4280 | 161 | 1.2% | 0.038 |
| Male names | 3901 | 1035 | 2866 | 140 | 1.0% | 0.049 |
| Uncommon names | 5559 | 604 | 955 | 130 | 0.9% | 0.026 |
| Myths & legends | 1357 | 111 | 1246 | 66 | 0.5% | 0.053 |
| Shakespearean | 650 | 177 | 473 | 11 | 0.1% | 0.023 |
| Sports terms | 247 | 9 | 238 | 32 | 0.2% | 0.134 |
| Science fiction | 772 | 81 | 691 | 59 | 0.4% | 0.085 |
| Movies and actors | 118 | 19 | 99 | 12 | 0.1% | 0.121 |
| Cartoons | 133 | 41 | 92 | 9 | 0.1% | 0.098 |
| Famous people | 509 | 219 | 290 | 55 | 0.4% | 0.190 |
| Phrases and patterns | 998 | 65 | 933 | 253 | 1.8% | 0.271 |
| Surnames | 160 | 127 | 33 | 9 | 0.1% | 0.273 |
| Biology | 59 | 1 | 58 | 1 | 0.0% | 0.017 |
| /usr/dict/words | 24474 | 4791 | 19683 | 1027 | 7.4% | 0.052 |
| Machine names | 12983 | 3965 | 9018 | 132 | 1.0% | 0.015 |
| Mnemonics | 14 | 0 | 14 | 2 | 0.0% | 0.143 |
| King James bible | 13062 | 5537 | 7525 | 3 | 0.6% | 0.011 |
| Miscellaneous words | 8146 | 4934 | 3212 | 54 | 0.4% | 0.017 |
| Yiddish words | 69 | 13 | 56 | 0 | 0.0% | 0.000 |
| Asteroids | 3459 | 1052 | 2407 | 19 | 0.1% | 0.007 |
| Total | 86280 | 23553 | 62727 | 3340 | 24.2% | 0.053 |