This excerpt is from Choose Your Passwords Wisely of Computer Security: 20 Things Every Employee Should Know written by Ben Rothke and published by McGraw-Hill/Osborne Media. Read the entire chapter here
Choose your passwords wisely
Alice is returning from maternity leave as the human resources manager at Duke Industries, leaving her new daughter Winifred at home. With her account being reactivated, Alice now must choose all new passwords.
Alice is so excited about recently becoming a mom she uses her newborn daughter's name as her password to the HR employee database. Unbeknown to Alice, a disgruntled employee, Natalie, has been trying to find out her manager's salary. Natalie downloaded John the Ripper, an easy-to-use password-cracking program she found on the Internet. Within minutes, the program checks every word in the English language dictionary, as Winifred's account is successfully attacked and its password gleaned, giving Natalie access to all the HR information under Alice's user account.
The above scenario is real and happens far too often. The problem is that people are now required to remember passwords for myriad systems: corporate systems, online banking, voice mail systems, alarm codes, network passwords, system passwords and many more.
As a security professional, I can tell you that most people simply can't choose an effective password. It is a challenge between choosing one that's easy to remember (and ineffective) or one that's effective but difficult to remember.
Since it is so tough to remember all these passwords, people commonly adopt shortcuts; like writing their password on Post-it(r) notes, sticking them to their monitor or under their mouse pad. Using Post-it(r) notes is almost as bad as not having passwords at all.
In the example above, Alice makes a poor choice of passwords for two reasons: Winifred is a common word in most dictionaries, and the password Winifred can be easily guessed by anyone who knows that Alice is a new mother.
The responsibility for catching tools like password cracking software on the network is not the users, but the user must be aware that such tools exist.
Read the rest of the chapter here.
For more information on this topic, visit these resources:
This was first published in October 2003