A word about passwords

What’s up with those weird passwords you send?

Ah. Those.

If you have a hosting account with The Secret Labs you’ve seen the passwords we use when we set up your account. Things like qu7e&ehajaXa+e, or @uvuFuSwamuM55, and $cr2D4Yu*Pek3. They come from the Random Password Generator at http://www.winguides.com/security/password.php .

We aren’t trying to tax your brain or look all cool and computery. And they’re not a misspelling of Philadelphia. The aim is to twart those who may try to hijack your account or deface your web site.

Our concern is not with your home or office computer. That’s your issue. We’ve even gone so far as to recommend clients use the “remember my password” feature in their browser, FTP, or web publishing program and, truth be told, we do the same thing in our FTP program. Anyway, we figure you’re responsible enough to handle computer access and security on your end.

Our responsibility is on the server end of things. Like every other computer connected to the web—servers or personal computers—our server is under constant attack by hackers and virii and worms. (Oh my!)

Rather than wear their fingers down to bloody stumps by entering password after password, attackers use a program do the heavy lifting for them. The most common approach is called a “dictionary attack”. The program simply tries every word in a long list, like the dictionary for your spell check. There are even lists of the most commonly-used passwords available for download.

These programs also know many of the tricks, like substituting digits for letters to m4k3 w0rdz l1ke th15 (make words like this) or mAkE WoRdZ lIkE ThIs that the kids are so fond of. Worse, they can try thousands of passwords a minute.

Sooner or later, if you use real words for your server and control panel passwords, you’ll fall victim to a dictionary attack.

How can your email password aid spammers?

Spammers are beginning to use similar techniques to hijack servers to send their messages. All they need are the email addresses they already have and the passwords to go with them. The easiest way to get those passwords is the dictionary attack.

Once in, they send millions of spams at a whack, potentially using your account on our mail server. Not only can that much traffic bring a server to its knees, it can get all mail from our server blacklisted or lead to our provider shutting down the server entirely since spamming, even accidental or inadvertant, violates our Terms of Service.

So please, for the sake of us all on the server, and for everyone annoyed by receiving spam, think about how easily your email password might fall victim to a dictionary attack. Chances are very good that it’s easy to crack. So you might want to think about changing it.

How to choose better passwords

If you never use anything other than your home or work computer to check your mail, since your email program will remember the password for you, try the Random Password Generator. Have it use between eight and 14 characters, check all the option boxes and have it generate a selection of a half dozen or more.

If, like us, you’re a frequent user of webmail, passwords need to be easy enough to remember and to type when you’re at the library, an Internet café or a client’s office.

Here are some suggestions we’ve copy-and-pasted from a quick Google search:

  • Take two words from the dictionary that are at least 4 characters each. I know I said don’t use words out of a dictionary—hang on! Now reverse the order of the letters and put them back together. For example, “dump” and “blade” yields “pmud” and “edalb”. Now put them together “pmudedalb”. Most of us can remember two words with a little effort.
  • Choose a line or two from a song or poem, and use the first letter of each word. For example, “And I’m crazy, for loving you” becomes “Aic,fly”.
  • Alternate between one consonant and one or two vowels, up to 14 characters. This provides nonsense words that are usually pronounceable, and thus more easily remembered. Capitalize some of the letters. Examples include routBOO, QuadpoP and so on.
  • Sometimes, it’s easier to generate a password that means something on the keyboard but not in the linguistic world. For instance, qwertyui is the string of letters across the top of standard keyboards. That isn’t a good password itself, but perhaps you could do something with the home keys and some digits: tyru$8t7. Check that out on the keyboard and you’ll see that it’s an obvious pattern plus some noise. Type it a few times and you’ll probably remember it forever.

And finally, one of the better pieces we’ve seen on the subject contains a good list of password do’s and don’ts. See http://wolfram.org/writing/howto/password.html

Whichever method you choose, pick one you like and login to the Plesk 7 Control Panel with your email address and current password and change it. Need help? See our Flash tutorial movie. Alternatively, have us or your domain administrator change it for you.