I think we ought to start from the beginning (although reading this backwards would be a lot more entertaining, ?kniht uoy t'nod), what is a password?
Passwords are codes that only the user and the system should know, these codes let the user access the system.
Most systems are not for public use, and so they often require different permissions depending on who is using the system. For example, in an automated library you would need permissions set for your username to allow you to withdraw a book. The librarian however would have access to a plethora of tasks such as adding a new book or registering new users.
So a user can use any password they want? Well, not really. See, the problem is that people want to gain access to systems so if the password is something they can guess or easily crack, then it is pointless having one. Of course, it is true that a password will deter some people, but chances are all they would do is frape you.
Note to frapers: Posting
So how do we choose a good password? Well for a start, do not use any dictionary words (yes, that includes klingon) as if it can be found on a list then that list may well be the one that is being used to break into your account.
According to Pfleeger, since there are 26 characters in the alphabet and to get the amount of possible combinations you need to exponate 26 by the amount of letters in the password, you would work out how many possible combinations there are for all password sizes less than 3 for example is: 26^1 + 26^2 + 26^3 = 18,278. This sounds like quite a few, but at a millisecond a second it would take the same amount of milliseconds to list them all. This should explain why choosing a longer password will reduce how quickly the password can be bruteforced. However, since that equation only worked out the speed of letters, it is still easier to crack a password that is "america" than "*/a". It is also harder to social engineer random gibberish than something that is meaningful, which we shall get onto soon.
You know how I kinda said "soon"? Well I meant to say "right now".
Social engineering is often heard in reference to identity theft, well somebody without permission gaining permission to something they have no permission to gain permission to is a form of identify theft (pretending they are you, as you have permission). Besides, this guide is system agnostic... we might be talking about someone breaking into your online banking. Or, again, just Facebook. Social engineering is about gaining trust of the person that has the permission (or The Force, could be Star Wars) and compromising that trust to work out a password.
Actually, Kevin Mitnick would often gain trust of one person (all over the phone of course) such as a receptionist, get their name and a name of somebody with authority, then gain trust from somebody else by mentoining the receptionist's name and pretending to be the person with authority. The need for authority is not nessecarily that he is able to get access to that account, but rather because other people do not like to say no to people that could get them fired! So pretending to be somebody higher rank that they are would reduce the likelyhood of needing identity et cetera.
How can social engineering be used? One very common way is that a lot of systems allow passwords to be reset by answering "secret" questions or directly send a new password to an email address. Now, picture a scenario: Junior Developer Joseph Tibble is working as an intern at a coorporation that you want root access to (of course, remembering that this is a scenario and not something you should be doing). You decide to Google his name and find his Facebook but it is private, you can only see that in his picture he looks pretty young and that he has a Gmail account. Obviously, you try to gain access to his account but it has sent a changing password comfirmation to an old email address. You try to gain access to the old email address but it asks "What iz me fav game".. well he cannot spell so probably not scrabble, lets try minesweeper. Nope! Hmm, three tries left. So you decide to Google the old email address... "oh look" you think, a few years ago he had an account on a World of Warcraft blackmarket forum... yes!! His favourite game was "WoW" (you got it after trying "World of Warcraft") and you now have access to two of his email accounts.
You get the drift, by learning what you can about a person (especially by making contact and being trusted) you can create chaos.
Back to passwords!
If it is that easy to get past the password altogether, then why do we need them? Because every little layer counts (thanks Tesco), the more security layers we have... hopefully... the more secure it will be!
So we now know that passwords need to be pretty long, so they cannot be instantly bruteforced, and they should also be hard to guess (nothing in lists such as dictionaries or to do with your interests) to prevent dictionary attacks as well as social engineering.
How about patterns then? Probably not. Unless you can find a pattern that you can easily remember, but that no body would be able to figure out (which I am sure they could if they had a few of your passwords), then patterns probably are not your safest bet. Just imagine how many people have 1337 Sp33ch (yes, I know, I fail at life. Shhh) thinking they are ultra secure! Nu uh.
Oh wait!! I just said "a few of your passwords"... we have not yet gone through that. Basically... Pitty the fool who uses one password! Yeah, I KNOW it is easier but if you do not have a password for each individual service then the cracker can easily gain access to everything. You don't want that.
I would suggest using some kind of password manager. Google them, find one that you trust. And it is probably best if you don't tell anybody which one your using, if the cracker knows a vulnerbility in one then it is best if they do not know it is what you are using. If you are good with programming and encryption, you could even attempt to make your own encyrpted password list. This has the benefit in that the cracker does not know how your encryption works, however the downside is that you have no community (or professional team) to check the code for vulnerbilities and bugs.
I shall not go on to discuss the kinds of encryptions (and indeed hashes) that are available to you, but that may come in a later article. One thing I shall briefly mention, though I will probably write an article for those creating the systems rather than just using them, is that usernames are as much passwords as the passwords themselves. Granted, usernames are often public... but if the cracker does not know which account belongs to who then it is harder to social engineer (though they would probably just ask you what your username is). Systems in which allow a username and a display name separately can help. A fairly big security risk is when the error message that appears when you log in says "username is wrong" or "password is wrong" rather than "The data you have entered is not correct", as that narrows it down quite a bit. But that is more about designing security features than passwords.
Please feel free to ask any questions, I hope this has at least given you something to think about.
This post has been edited by Shane Hudson: 12 March 2012 - 09:57 AM