CHAPTER 28 System Security
Passwords should be chosen that are difficult to guess. A study done in 1978 showed that 16% of all passwords are 3 characters or less, and that 86% of chosen passwords could be described as insecure. A more recent study showed that simply trying 3 guesses on each account: the login name, login name in reverse, and the two concatenated, would obtain access to 8 - 30% of the accounts on a typical system.
Use a password that contains mixed case alphabetic characters and numbers. It should be 6 - 8 characters long to make the number of possible combinations extremely large. For 62 possible characters in each position (26 lower case + 26 upper case + 10 digits) there are 62n possible combinations. This is 238328 for a 3 character password and 2.18*1014 for an 8 character password. In contrast, if you only use lower case letters there are 263, or 17576 combinations for a 3 character password and 2.09*1011 in an 8 character one.
Your password, though difficult to guess, should be easy to remember. If you have to write it down it's not secure. A study by Daniel V. Klein reported in his paper, Foiling the Cracker: A Survey of, and Improvements, to Password Security, (available from ftp://www-wls.acs.ohio-state.edu:/pub/security/Dan_Klein_password_security.ps.Z) emphasizes the poor choice of passwords found on many systems. The following table is from this paper regarding the passwords cracked from a sample set of 13,797 accounts solicited from the Internet.
|Type of Password||Size of Dictionary||Duplicates Eliminated||Search Size||# of Matches||Pct. of Total||Cost/Benefit Ratio|
|Myths & legends||1357||111||1246||66||0.5%||0.053|
|Movies and actors||118||19||99||12||0.1%||0.121|
|Phrases and patterns||998||65||933||253||1.8%||0.271|
|King James bible||13062||5537||7525||3||0.6%||0.011|