Visual QuickStart Guide [Electronic resources] : Mac OS X 10.4 Tiger نسخه متنی

Unix Passwords & Security

You may think, "I don't care if someone reads my mail" or "I don't store important files in my directory, so who needs a good password?"

This is exactly what

crackers count on. Many times, these crackers don't want to read your mail or erase your files; they want to install their own programs that take up your computer time and Internet bandwidth. They steal resources from you and slow down your computer and Internet response time. They also install

Trojan horse programs that allow them to break into your computer at a future date. These Trojan horses are designed to look and act exactly like other normal programs you expect to see on the machine.

When a cracker breaks into your computer system, your only course of action is to take the machine off the network and rebuild the operating system from scratch. It's virtually impossible to detect Trojan horses, which is why you must rebuild your system. The rebuild process can take days, and you lose communication during that time. Scared? Good. Your first line of defense is to use good passwords.

The object when choosing a password is to pick a password that is easy for you to remember but difficult for someone else to guess. This leaves the cracker no alternative but a brute-force search, trying every possible combination of letters, numbers, and punctuation. A search of this sort, even conducted on a machine that could try one million passwords per second (most machines can try less than one hundred per second), would require, on average, over one hundred years to complete. With this as your goal, here are some guidelines you should follow for password selection.

Dos

Do use a password with nonalphabetic characters: digits or punctuation mixed into the middle of the password. For example,

ronh3;cat .

Do use a password that contains mixed-case letters, such as

ROnHCAt .

Do pick a password that is easy to remember, so you don't have to write it down. (And

never write it on a sticky note and stick it on your monitor.)

Do use a password that you can quickly type, without having to look at the keyboard. This makes it harder for someone watching over your shoulder to steal your password. If someone is watching, ask them to turn their head.

Don'ts

Don't use your login name in any formfor example, as it is, reversed, capitalized, or doubled.

Don't use your first name, last name, or initials in any form.

Don't use your spouse's, child's, or pet's name.

Don't use other information that is easily obtained about you. This includes license plate numbers, addresses, telephone numbers, social security numbers, the brand of your automobile, and the name of the street you live on.

Don't use a password that consists of all digits or all the same letter. This significantly decreases the search time for a cracker.

Don't use a word contained in dictionaries (either English or foreign language), spelling lists, or other lists of words (for example, the Star Trek series, movie titles, Shakespeare plays, cartoon characters, Monty Python episodes, the

Hitchhiker's Guide series, myths or legends, place names, sports words, and colleges). These are all part of the standard dictionaries that come with cracking software, and the crackers can always add their own dictionaries.

Don't use a word simply prefixed or suffixed with a number or a punctuation mark.

Don't substitute a zero for the letter O or substitute a numeral one for the letter L or I.

Don't use a password shorter than six characters.

Password ideas

Although these password rules may seem extreme, you have several methods for choosing secure, easy-to-remember passwords that also obey the rules. For example:

Choose a line or two from a song or poem and then use the first letter of each word. For example, if you pick, "In Xanadu did Kubla Kahn a stately pleasure dome decree," you would have

IXdKKaspdd . "Ding dong the Witch is dead" becomes

DdtWid .

Create a password by alternating between one consonant and one or two vowels, as long as eight characters. This provides nonsense words that are usually pronounceable and thus easily remembered. For example,

moatdup and

jountee .

Choose two short words and concatenate them with a punctuation character. For example:

dog:rain or

ray/gun or

kid?goat .

To change your password