How to Prevent hacker intrusion [3]: how to construct a secure password/password?

In the previous post, I introduced how attackers break the password. To avoid easy password cracking, it is necessary to understand the techniques for constructing secure passwords. So we will introduce this topic today.

★Do not share passwords or passwords
I found that a considerable number of students prefer to pack the world with a single password. This is quite dangerous. If the same password is used more often, the greater the risk of leakage. Once leaked, your security defense will crash.
Therefore, the first point of today's speech is never to use the same password in all (MOST) scenarios.

★Password classification mechanism
Because shared passwords are highly risky, it is safer to use only one password for each scenario. However, many people complain that this is complicated and adds a lot of trouble. So how can we achieve security without any trouble? This requires the introduction of the password classification mechanism.
According to the common sense that everyone in the security circle knows: the safer the measure, the more troublesome it is, the higher the cost. The opposite is true. In addition, according to the principle, very important passwords account for only a minority. So, just as a movie requires a classification mechanism, your password/password should also introduce the classification concept. Through a hierarchical mechanism, simplified security measures can be taken for most of the less important passwords, while highly secure measures can be taken for a few important passwords.
Next, we will introduce how to classify different passwords.

◇ Level 1: unimportant passwords
The so-called unimportant password means that it will not cause any loss to you if it is stolen or forgotten.
For example, I often encounter some forums where students can only download attachments from registered members. Therefore, I often register an account temporarily and log on to it to download things. This type of account is basically a one-time one (when used up), so the importance is very low.
For unimportant passwords, there is basically no need to consider too many security factors. Just set one.

◇ Level 2nd: important but rarely used passwords
Important passwords must be treated differently based on the frequency of use. Although some passwords are important, they are frequently used. This type of password is rarely used, so it is difficult to set and the problem is not serious.
For example, some R & D servers (such as source code servers) managed by Alibaba Cloud have a high degree of importance, but generally do not require logon.

◇ Level 3rd: Important and frequently used passwords
This type of password is important and often used. Therefore, it is more important to set such passwords. Both security and ease of use should be taken into account.
For example, the user password of the operating system used in daily use belongs to this type.

★Some negative textbooks-Examples of weak passwords
The grading mechanism has been completed. Next, I will list some negative teaching materials and let everyone look at the weak passwords?

◇ The password is the same as the user name
Needless to say, the password in this situation is very fragile.

◇ Password is a string of simple numbers
In the previous post, I cited the case of RockYou Website user data theft. Among the 32 million users of the website, the top ten most popular passwords for mental retardation are:
1. 123456
2. 12345
3. 123456789
4. password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

From the TOP 10 rankings, we can see that half of them use continuous numbers. Therefore, it is also foolish to use continuous numeric strings (including sequential and reverse order) as passwords.

◇ The password is too short
If your password is less than 6 characters long, it can be easily cracked. After all, there are not many combinations of less than 6 characters. It is a piece of cake for a dedicated password program.

◇ Use English words as passwords
Using a single English word as a password can also be easily cracked. After all, there are thousands of commonly used English words, and tens of thousands of words are counted as uncommon words.
Many years ago, hackers collected a list of English words (called the "password dictionary "). This dictionary sorts words based on their usage frequency. With this password cracking dictionary, the password cracking program can easily guess the passwords that use a single English word.

◇ Use the date as the password
Some users want to use a special date (such as birthday, wedding anniversary, etc.) as a password. You need to know that this trick is also ineffective. Most of the common dates are distributed within the range of the last month. So at best, the possible number is about 365*100. Even if we take into account different date representation formats, it cannot be several times more. In this order of magnitude, the brute-force cracking tool is still a piece of cake.

◇ Other bad passwords
The situations listed above must be avoided. In addition, you can also look around a foreigner's book of abuse of passwords (this foreigner is patient ). However, this list is based on European and American user statistics and may not be applicable to China's national conditions.

★How to construct a complex password?
As mentioned above, the password is too simple to be cracked. But if you forget it, it will be over. Therefore, many netizens are entangled in the complexity of passwords. My experience is that passwords must be simple to themselves and complex to others.
The following describes my experience in this area.

◇Use multiple words to form a phrase
As mentioned aboveSingleEnglish words are used as passwords and are prone to dictionary attacks. To avoid dictionary attacks, a password consisting of 2-5 English words can be considered. If you are not good at English or you are used to Chinese, you can also use 2-5 Chinese Characters in pinyin to form a password.
Advantages:
The password length can be significantly increased to combat brute force cracking.
Disadvantages:
You may need to change your password habits.
The password contains only letters and is not complex enough.

◇Insert special characters
As mentioned earlier, passwords are constructed using multiple words or Chinese characters. To make the password more powerful, you can also insert some special characters between words or Chinese characters.
Insert spaces. Of course, you can also consider inserting other characters (such as underlines, minus signs, slashes, pound signs, asterisks, and so on ).
During brute-force cracking, only letters and numbers are cracked to speed up the cracking process. If your password contains special characters, it will greatly increase the difficulty of attackers.
Advantages:
Because the password contains many special characters, the complexity is greatly improved.
Disadvantages:
The input of many special characters depends on SHIFT, which may affect the speed of your password. This leaves an opportunity for hackers.

◇Character conversion
The so-called character conversion is to replace letters and numbers with similar shapes. This conversion can avoid the aforementioned password-based dictionary attacks.
There are several common transformations:
Letter o and number 0
Letter l and number 1
Z and 2
Letter s and symbol $
Letter g and Number 9
Letter q and Number 9
Letter a and symbol @
Letter B and number 6
Letter x and symbol *

Assuming that I want to use the word program as the password, after the above transformation, it becomes very obvious that pr09r @ m. The changed password also has letters, numbers, and symbols. The intensity is quite good :)
If you are interested, you can extend the transformations provided by Alibaba to meet your habits and preferences.
Advantages:
You don't have to change your original memory habits.
Because the password contains many special characters, the complexity is greatly improved.
Disadvantages:
If you think of a password that doesn't happen to have a corresponding change in all the letters, then it's quite uncomfortable.

◇Key Position Translation
This trick is also relatively simple, that is, when entering the keyboardRightTranslate a key. When playing blindly, the index fingers of both hands are directed at the letter F and letter J respectively. After translation, the index finger is directed at G and K.
If I want to use the word "program" as the password, after the above transformation, it will become [tphts. After this input method, the password is completely unrecognizable. But it is not hard for you to remember.
Advantages:
You don't have to change your original memory habits.
The password looks completely irregular.
Disadvantages:
Depends on the QWERT keyboard layout. If you want to enter a password on a non-QWERT keyboard (such as some mobile phone keyboards) one day, you can stop.

◇Tibetan Poems
In the plot of some ancient novels, you can often see the bridges of Tibetan poems. The idea of a Tibetan poem can also be used to construct a security password.
To use this trick, you must first think of something that impressed you. This can be either Chinese or English, French, or Mars. It is recommended that the number of words in this sentence be between 6 and 20. Then you extract the first letter of each word and combine it into a password. If it is Chinese, extract the initials of each Chinese Character and combine them into passwords.
If you think about it, you can only survive if you are paranoid. In this case, the initials of the pinyin alphabet are: zypzkcnsc.
Advantages:
You don't have to change your original memory habits.
The password looks completely irregular.
Disadvantages:
The password contains only letters and is not complex enough.
If the number of words in a sentence is not enough, the effect is not good enough.
For Hong Kong and Taiwan students, since they have never learned Chinese pinyin, they have to use a Tibetan poem in English. Fortunately, English education in Hong Kong and Taiwan is generally better than that in mainland China, so it should not be related to this :-)

◇SHIFT key
When constructing a password, properly combine the SHIFT key, and sometimes it can achieve good results. If some characters in your password are numbers, when you enter the password, holding down the SHIFT key will change these numeric characters into special characters.
Advantages:
You don't have to change your original memory habits.
Because the password contains many special characters, the complexity is greatly improved.
Disadvantages:
In case your original password has only letters and no numbers, the strength of the password will be slightly reduced.
Because the switch depends on the SHIFT key, it will affect the speed at which you enter the password. This leaves an opportunity for hackers.

◇Using mathematical equations
There is also a well-remembered, seemingly complex cryptographic construction method-using mathematical equations.
For example, you can design your password as follows:
7 + 8 = 15
Although it only contains 6 characters, it has a certain strength because it contains symbols. If you think there are too few 6 characters, you can easily add them, for example, changing:
110 + 9 = 119
If you think it is not complex enough, you can make another metamorphosis-to express a number in English. For example:
Two + 7 = nine
Advantages:
The password contains both letters, numbers, and symbols. High standard complexity!
Disadvantages:
You need to change your password habits.
Once your password is seen by others, it is easy for others to find the pattern of your password.

◇Use Hash Value)
Finally, it is an excellent housekeeping skill-constructing a password using hash values.
If you are not familiar with it, you may not be able to disband the column value. I don't want to waste a bit of water to explain it. If you are curious, please read the Wikipedia introduction.
To construct a hash-based password, we recommend that you use the CRC32 hashing algorithm. Why use it? This is because it is easy to use. For example, if you want to obtain the CRC32 hash value of a file, you only need to compress it into a Zip file using a compression tool such as WinRAR or 7-zip, then we can see the CRC32 value of the file (because the CRC32 hash algorithm is used as the file verification code in zip format ). If you open a zip file at your disposal, you can see it.
Now we will detail how to construct a hash-based password.
First, you should first think of a string as the seed to calculate the hash. This string does not need to be complex or long. For example, if you are Zhang San, you can use Zhang San's pinyin initials zs as the seed string.
Suppose you have a hotmal mailbox and you need to set a password. You can use notepad to generate a txt file. Write the seed string sz, then the hotmail, and save the disk. Then, compress the txt file into a zip file. Check its CRC32 Verification Code (9C9041C0) and use it as the password.
If you need to set a password for another gmail mailbox, you only need to write zsgmail to that txt file and calculate CRC32 to get another value (03B2F77D ). Did you notice? These two values do not seem to have any relevance, and from these two passwords, we cannot see any relationship with the zs of the seed string.
Advantages:
The password contains both letters and numbers, but no special symbols. High complexity!
Hash values are random. That is to say, the vast majority of hash values you see are not regular.
The hash value is irreversible. That is to say, even if a password is exposed, attackers cannot see the rule.
Even if a password is exposed, others cannot see the rule at all.
If you replace the CRC algorithm with other algorithms (such as MD5 or SHA-1), you can easily construct a super-long password (32 characters ).
Disadvantages:
This password is completely random and is not something that can be remembered by ordinary people. Therefore, in the password classification mechanism, it is only suitable for second-level passwords. The third type of password cannot be used.

★End
Today, I have spent a lot of time talking about how to construct complex passwords. If a netizen has other unique experiences, he hopes to share them with me. If I find it practical, I will add it to this article.
The next post in this series will talk about the basic prevention of security vulnerabilities.