USS Clueless              Voyages of a restless mind

Main: normal long no graphics Contact Log archives Best log entries Other articles Site Search

Stardate 20010629.1351 (On Screen): Many years ago I bought a book (published by Microsoft Press!) called "Out of the Inner Circle" which was written by a guy who was about 21 years old. He had just emerged from paying his debt after a successful prosecution for computer crime and decided to write about what it was like to be in a hacker group called "The Inner Circle". It's a bit dated now but much of what it describes is still relevant. One of the things he describes is how ridiculously easy it is to guess the passwords that most neophytes select for themselves.

The two most commonly chosen passwords by novice users are "sex" and "secret".

When making a "dictionary" attack, they would start with a list of popular music groups, the names of members of those groups, sporting teams, sports stars, fifty or so male first names, a hundred female first names, and other things like that. Surprisingly, about half of accounts would fall to this short list of perhaps a thousand words. Those who did not would then be subject to a broader dictionary attack of hundreds of thousands of words.

Passwords are a secure or insecure protection based only on the intelligence with which they are chosen and protected. A few years ago I was briefly the system manager at a company where I worked, and I wrote and distributed a memo discussing password choice. The best password is a meaningless string of letters and numbers, but that's also difficult to remember. (Still, that's used some places where a password is given to you without you having any ability to change it.) The best way to form a good password that is relatively easy to remember is to concatanate two words together: "galaxyegg". But not words which make a normal English phrase or phrase from pop culture. Don't use "coldbeer" or "redbrick" or "purplerain". (discuss)