Choosing a good password

Index

• How to Choose a Password
• Don't Share Your Password!
• Use SSH Keys Instead
• Choosing Good SSH Key Passphrases
• How to Create an SSH Key
• SSH Key Agents

Objectives

How to choose a password

It's important to make sure your password is secure, in order to prevent others from using your account. The first part of this is choosing a good password. A "good" password will be one that you are able to remember yourself, but which others will not be able to guess. Not only do you need to guard against ordinary people attempting to log into your account by guessing based on what they know about you, you must also ensure that your password is resistant to the people who use programs to automate their hacking attempts, which can attempt thousands of password possibilities per second.

Here are a few simple guidelines to follow to make sure that your password is good:

• Make sure your password is long enough -- at least 8 or more characters. Longer passwords are harder to guess, and short passwords are easier.
• Do not use dictionary words as a password. Many automated password cracking attempts start with running through the dictionary and guessing each word as the password to try to break into an account. The things most vulnerable to this type of attack are:
  • Normal words that appear in the dictionary (ie: password, dictionary, alphabet, ...)
  • Combinations of two shorter dictionary words, with or without a number between them (ie: whatwhen, sing4you, ...)
  • Passwords composed entirely of numbers (ie: 192837465, 987654321, ...)
  • Passwords that are too short (ie: anything with six characters or less)
• Do not use names either. One common practice was to use the name of a pet or a child as your password, but anyone who knows that information about you would be able to use it to guess your password.
• Try using combinations of multiple words, or "initializations" of phrases, for example the phrase "The Rain In Spain Falls Mainly On The Plain" would become "Trisfmotp"
• Your password should include a mix of upper and lower case letters, numbers, and even symbols (such as the @, !, and &) - one common way is to replace letters or syllables with numbers or symbols that are pronounced the same, replacing "at" with "@", or replacing "i" with a one or "o" with a zero, such as in "Go0dG1rl", or "$ing4m3". Another way is to use multiple words, and/or put numbers or symbols them, like "not4h4ing". Applying this to the previous point's example to make "Tr1$fm0tP" would make it even better. Even so, you shouldn't use all numbers, or all symbols or all letters in your password -- again, that makes it easier for someone else to guess.
• Don't use "famous" passwords -- any password that is used on television, in a movie, a book, or a "how to choose a password" document, is a password that everyone has seen, and will be one of the first things that is tried by someone trying to break into an account. Thus, the password "trustno1" which was used by agent Mulder in the X-Files, while technically good by the rest of these guidelines, is still bad because millions of people know about it. Similarly, "$ing4m3" and "not4h4ing" are bad because most if not all of the other people using the same system as you have seen them as a password suggestion.

Don't Share your password!

Sharing your account with someone else is a violation of SHARCNET's Acceptable Use Policy, and can result in you losing your account. Accounts are free, and easy to get, if your research assistant, co-worker, or friend needs, one, they only need to apply for it to get their own!

Your account contains all of your data, and all of your work. Having access to your account on SHARCNET's systems (or indeed any other system) means that anything that person is doing is being done in your name. If someone else has access to your account, that person is able to act in your name, and you would then be responsible for any action taken by that person with your account. Not only do you want to protect your own data from tampering and theft, you also need to make sure that your account is not used for any illicit activities.

Sharing your password with someone else can take many forms -- from just letting the person "borrow" your login for a few days because they don't have their own account yet, to writing your password down on a piece of paper in your desk drawer -- anyone who has access to your desk without you present would then have access to your password, including students, other researchers, and even cleaning staff.

Use SSH Keys Instead!

One complaint many people have is that properly secure passwords are often very difficult to remember. Even with the best of mnemonics, how many people are going to have an easy time remembering something like "Tr1$fm0tP"? The best solution to this is to use something other than passwords for logging into your account, such as SSH Keys.

SSH Keys are a special pair of files - one you place on the server in your account, and one you carry with you, and provide to SSH to let you access your account. This has the advantage of eliminating the annoying password prompts every time you want to upload a file, or open another command shell in your account. Your private key (the one you carry around with you) can be taken with you on a USB stick, CD, or any other digital storage media, and to use it, you just have to either put it on your workstation, or configure your ssh client to look at your USB stick to retrieve it.

Rather than having to provide your password over and over every time you want to transfer a file, or open another login shell, with an SSH Key and an SSH Key agent set up, you can simply type in your passphrase once when you sit down at the computer, and it will remain open for as long as you are there.

It is also possible to set up an SSH Key with no passphrase, however it is strongly recommended against, since that would mean that anyone who found your USB stick lying around would be able to use it to access your account.

Choosing Good SSH Key Passphrases

Just like with choosing good passwords, passphrases do need to be selected with some care. If you have some personal catchphrase that everyone you know associates you with, it would be a bad choice to use as a passphrase for your SSH Key, since as with having no password, anyone who finds your USB stick can try that as your passphrase and use your account. On the other hand, passphrases that are too complex, like "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtan" are also bad, since it's close to impossible to remember. The best way to pick a passphrase is to choose a sentence that is easy for you to remember, like "The rain in Spain falls mainly on the plain", or the first sentence from a book or story you like. If you want to make it more secure, you can also use the same kinds of letter replacement rules as with passwords, but a much lesser degree would be needed due to the length of the passphrase, thus "Th3 rain in Spain falls mainly on the plain" would be potentially just as effective as "Tr1$fm0tP", but much easier to remember.

Of course, the last password-choosing rule also still applies, you should never use a passphrase that is mentioned as such in a book, movie, or "Choosing a Password" document.

How to Create an SSH Key

Most modern operating systems either come with an SSH client, Key generator, and Key agent already installed, or have them easily available for download. Mac OS X, Linux, and other Unix systems come with command-line SSH tools pre-installed. Windows users can either obtain the"Official" SSH client from http://www.ssh.com/ or can obtain a free, and lightweight SSH client called "PuTTY" from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html - both come with the ability to generate SSH keys and a key agent that will work with them. The key agent included with PuTTY will also work with SSH based file transfer programs such as WinSCP, which is available from http://winscp.sourceforge.net/.

To use PuTTYgen to create an ssh key for your SHARCNET account, download and run the program, choose SSH-2 RSA or SSH-2 DSA (1024 bit size) and click on the "Generate" button, then follow the given instructions. Once the key is finished, add a passphrase to it, and then save your private key file - this will need to be imported into your ssh program (preferably using a key agent such as Pageant, the PuTTY Key Agent). The "public" key can be either saved and transferred, or cut-and-pasted directly from the box in the program into the .ssh/authorized_keys file in your home directory on your SHARCNET account.

For users with Mac OS/X or Linux systems, first, open a text shell on your system (Mac users can find this in Applications/Utilities) and type the command:

ssh-keygen -t dsa

You will be prompted to give the program a file name to store your key in, (the program will recommend id_dsa, which is a good idea), and to type your passphrase in twice. After that, the program will create two files. One with the name you chose, and the other with ".pub" added to the end of it. The private file (without .pub) belongs in your .ssh directory on your local workstation, and the id_dsa.pub file belongs in your account on the server. If you log in, and copy it there, you should place it in a file named "authorized_keys" in the .ssh directory in your account on the SHARCNET clusters.

For Windows users, the files will also be created, and the .pub file (or "public key", depending on which program you use) is the file which should be placed on the server in the .ssh/authorized_keys file, and the private key file should be pointed at by your ssh client as the SSH Key to be used.

SSH Key Agents

An SSH Key agent will allow you to unlock your SSH key for the duration of your login session, which will save you the trouble of typing in your passphrase over and over, every time you want to transfer a file, or open a new login shell. Essentially, it holds your SSH key, and unlocks it once when it starts up, then feeds it to the SSH program every time you are going to log into the server.

Mac OS/X systems have an SSH key agent built in, which will automatically start up if you have either an id_dsa or id_rsa file in your .ssh/ directory. The first time you attempt to log into the server with your key in place, a dialog will ask you for your SSH passphrase, and will have a checkbox that can be turned on to store your passphrase in the key agent.

Linux systems also come with one built in, which can be started by typing "ssh-agent". To activate your SSH private key, as long as you put it in your .ssh directory and named it either id_rsa or id_dsa, you can simply run the command "ssh-add", type in your passphrase, and it will remain stored in the key agent. To kill the ssh key agent in linux, you can use the command "ssh-agent -k".

In Windows, you must download an SSH key agent to use, such as Pageant, the PuTTY Key Agent. When you download and run it, it will create an icon in the task bar near the clock. Double-clicking on it will bring up the Pagent manager window, which you can use to add and remove SSH Keys - when you add a key, click the "add key" button, and choose the private key file you saved from PuTTYgen (usually ends in .ppk) and you will be asked for the passphrase. Once you enter the passphrase, PuTTY and WinSCP will both make use of the key from Pageant, to make logging into the server much easier. When you log back out of windows, the Pageant program will exit, and the next time you log in, it will need your key to be re-added. The advantage of this is that you can store your key, as well as PuTTY, WinSCP, and Pageant on your USB thumb drive, and carry it with you to any workstation you wish to use to log in, without worrying about people using the computer after you having access to your SHARCNET account.