Red Hat ENTERPRISE LINUX 3 - INTRODUCTION TO SYSTEM ADMINISTRATION Administration Manual page 130

118
6.1.2.1.3. Recognizable Words
Many attacks against passwords are based on the fact that people are most comfortable with pass-
words they can remember. And for most people, passwords that are memorable are passwords that
contain words. Therefore, most password attacks are dictionary-based. In other words, the attacker
uses dictionaries of words in an attempt to find the word or words that comprise a password.
Note
Many dictionary-based password attack programs use dictionaries from multiple languages. There-
fore, you should not feel that you have a strong password just because you have used non-English
words in your password.
6.1.2.1.4. Personal Information
Passwords that contain personal information (the name or birth date of a loved one, a pet, or a personal
identification number) may or may not be picked up by a dictionary-based password attack. However,
if the attacker knows you personally (or is sufficiently motivated to research your personal life), they
might be able to guess your password with little or no difficulty.
In addition to dictionaries, many password-crackers also include common names, dates, and other
such information in their search for passwords. Therefore, even if the attacker does not know that
your dog is named Gracie, they could still find out that your password is "mydogisgracie", with a
good password-cracker.
6.1.2.1.5. Simple Word Tricks
Using any of the previously discussed information as the basis for a password, but reversing the char-
acter order does not turn a weak password into a strong password. Most password-crackers perform
such tricks on possible passwords. This includes substituting certain numbers for letters in common
words. Here are some examples:
drowssaPdaB1
•
R3allyP00r
•
6.1.2.1.6. The Same Password for Multiple Systems
Even if you have a password that is strong, it is a bad idea to use the exact same password on more than
one system. Obviously little can be done if the systems are configured to use a central authentication
server of some kind, but in every other instance, different passwords should be used for each system.
6.1.2.1.7. Passwords on Paper
Another way to turn a strong password into a weak one is to write it down. By putting a password on
paper, you no longer have a secrecy problem, you have a physical security problem — now you must
keep a piece of paper secure. Therefore, writing down a password is never a good idea.
However, some organizations have a legitimate need for written passwords. For example, some or-
ganizations have written passwords as part of a procedure to recover from the loss of key personnel
(such as system administrators). In these instances, the paper containing the passwords is stored in
Chapter 6. Managing User Accounts and Resource Access