Defense

Password Strength

Selecting a password that will be difficult to guess (or for a hacker to generate algorithmically) is perhaps the single most effective defensive method.  Here are some simple (and important) rules:

Never base your password on a dictionary word.

This includes words in languages other than English.  This also includes profanity and slang.  There exists readily available software that can run through dictionaries in several languages, testing variations of all the words until something fits your password.

Make it long.

The number of possible passwords of a given length increase exponentially with the length.  If only 10 characters were available, a password that was 2 characters long would be weak, because only 100 possible passwords would need to be checked.  If such a password is 10 characters long, checking all the possible 10¹⁰ passwords (ten billion) would be far more difficult.

Use lots of different character types.

Luckily, we have more than ten characters to choose from.  This increases the base in the exponential growth mentioned above.  For example, using just the lowercase letters (English) gives us 26 characters to chose from.  Thus, there are 26¹⁰ possible ten character length passwords using only the lowercase English alphabet.  Adding uppercase letters more than doubles this. 

(2 * 26)¹⁰ =  52¹⁰ = 2¹⁰ * 26¹⁰

So you make the hacker's job harder by a factor of 2¹⁰ just by throwing in capital letters as well.  Adding numbers and special characters result in similar gains.

Have a different password for everything.

You can bet that if someone gets their hands on one of your passwords, they will try it every time they are prompted for another.

Avoid repetition.

"a_pass" is not much different from "a_pass2222222222".  (Of course both are based on dictionary words and should never be used.)  The point is that long repetative strings don't really help.  Regularity is you enemy.

Avoid obvious personal info.

If you have your girlfriend's name listed on your MySpace page, don't use it as your password.  Similar info can be gleaned from "social engineering" techniques.  (Sounds creepy, eh?)  for instance, Phishing Scams may solicit personal info that could then be used in password prediction.

Learn more about password strength from CU's main ITS office.

Be Wary!

You shouldn't trust random emails, internet pop-ups, or internet sites any more than you'd trust a back-alley rolex salesman.  Even if something looks genuine, you have no gaurantee.  (Many theives long ago learned the value of wearing suits.)  Do not be trusting.  Do not give out any information to unexpected solicitors.  Do not open strange emails,  Do not follow strange links.  DO NOT download and execute strange programs.  DO see the scams page.