Securing Local Resources Using NTFS

Step 1 : Click on the Start button, then select the "Run" command. This will open a small box with a text field. In this field, type 'cmd' without the quotes and press enter.



Step 2 : At the resulting prompt, type in: chkntfs /d: [Enter]
If the message show “D: is not dirty”. This means that there is no corruption on the drive.



Step 3 : Now that we're in the command console, you'll need to enter in the command that will convert the drives. Make sure you type in the command exactly as it's shown (replace 'X:' with the drive letter you need to convert: CONVERT X: /FS:NTFS [Enter]



Step 4 : Close all Windows and log off

Encrypting a File or Folder

Encrypting a File or Folder

To encrypt a file or folder from the GUI, follow these steps:
a. Open Windows Explorer or My Computer.
b. Right-click the file or folder that you'd like to encrypt or unencrypt and select Properties.
c. On the General tab, click the Advanced button.
d. From the Advanced Attributes dialog box, mark (or clear) the Encrypt Contents to Secure Data check box to encrypt (or unencrypt) the file or folder that you selected. Click OK to close the Advanced Attributes dialog box and then click OK for the properties sheet to apply this setting. (When you encrypt a folder, you are prompted to select between applying this setting to the folder only and applying it to the folder, subfolders, and files.)
e.To share access to an encrypted file, click the Details button from the Advanced Attributes dialog box. You cannot share access to encrypted folders.
f. From the Encryption Details dialog box, click the Add button to add more users' EFS certificates to the encrypted file to share access with those users.
g.From the Select User dialog box, click the user whose EFS certificate you want to add for shared access to the encrypted file and click OK. You see only certificates for users who have encrypted a folder or file previously.
h.Click OK for the Encryption Details dialog box.
i. Finally, click OK for the Advanced Attributes dialog box and then click OK for the Properties



Account Lockout Policy
You can access Group Policy settings by opening the Microsoft Management Console (MMC) and adding the Group Policy snap-in.
The Acount Lockout Policy controls settings related to users attempting to login and entering wrong passwords. While it is possible to set this up so that a person can sit there and try thousands of different passwords in an attempt to find the right one, this is highly unwise and a serious compromise of security. There are three settings for this policy and using them will greatly increase security.
Access the Account Lockout Policy from:
Computer Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy

The three settings that you can set are: Account Lockout Duration, Account Lockout Threshhold, and Reset Account Lockout After. I recommend setting Account Lockout Threshhold to "5 Invalid Login Attempts". When you do this, it will automatically set the other two settings to "30 Minutes". When you apply these settings, a user will become completely locked out of the system for 30 minutes if they enter the wrong password 5 times.

Password Policy
The Password Policy controls settings related to each user's passwords. It is important to enforce a password policy, because the chances of a user giving out their password (accidently or intentionally) is very high. Thus, requiring them to change their password reasonably often and have it conform to a set of standards that make it very difficult to crack is in your organization's best interests.

Access the Password Policy from:
Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

There are five settings here that you can set. They are: Enforce Password History, Maximum Password Age, Minimum Password Age, Minimum Password Length, and Password Must Meet Complexity Requirements. I recommend that you enforce a password history that is a minimum of 6. This means that a user must change their password six times before they can reuse a password.

For Maximum Password Age, I recommend between 30 and 40 Days - this forces users to change their password every number of days specified in this setting.

Minimum Password Age is also important, because it requires users to use their password a certain amount of time before changing it. A smart user could figure out your system and change their password six times in a row, thus bypassing the password change and compromising your network. I recommend a Minimum Password Age of 1 day, and preferably 7 days. For Minimum Password Length, most enterprises require a minimum length of 8, or sometimes 12. The longer the password, the harder it is to crack. You should definitely enforce Password Must Meet Complexity Requirements.

Vigenère Ciphers

The Vigenère Ciphers
The Vigenère Ciphers is a simple polyalphabetic cipher based on the tableau in Figure below, in which each row of the tableau is shifted one letter to the left from the row above.



Encipherment and Decipherment

The cipher works by taking a keyword, in this case “BUCKNELL”, and uses it to encode a plaintext, “HAS A NICE CAMPUS”. First, the keyword is repeated on top of the plaintext:



For each letter in the plaintext, the corresponding ciphertext letter is found by selecting the letter in the column determined by the keyword-letter and the row determined by the plaintext There are two methods to decrypt the Vigen`ere cipher. The first simply does the encoding process backwards: Repeat the keyword above the ciphertext, and select the ciphertext letter out of the column determined by the keyword. The row that the ciphertext letter appears in corresponds to the plaintext letter that was enciphered. This is rather time consuming as one must search the column for the appropriate value.

The second method is to ‘encode’ again using the inverse of the keyword, which is easier for a computer to do. This is done by taking each keyword letter’s numerical value (A = 0,B = 1, etc.), subtracting it from 26, and then moding by 26. Once the key is modified as discussed above, the ciphertext is deciphered by running the encipherment algorithm with the inverted key.

Introduction to Virtualization & VMware

Virtualization

Hardware was the first part to be designed in a computer system. It is followed by the software part. Each hardware was specially designed with its own instruction set and developed with its own specific software. In the early days, this was enough to cater for a small community where file sharing and software distribution are not widely practiced. As time goes by, more and more computers are use and each of them are connected to one another, thus making rewriting and distributing software that are compatible to the hardware a major burden.

The need of software that is compatible with any hardware becomes an important consideration in developing a new computer system. This can be achieved by producing hardware that has a standard feature. One way to achieve this is by defining and controlling the interface between hardware and software. This is where the concept of Instruction Set Architecture (ISA) was introduced.

A new problem arises following the introduction of ISA. The operating system developed was only compatible with the hardware from the same vendor. Due to this reason many operating systems were developed for particular system architecture only and cannot be implemented in other machines that have different architecture.

Virtualization eliminates these constraints and enables a much higher degree of portability and flexibility. Software is added to an execution platform to produce virtualization to give it the appearance of a different platform. Virtualization supports an operating system, instruction set, and computational resources which differ from those available on the underlying software. One of virtualization environment created by such software is called virtual machine.

Virtual Machine
Virtual machine (VM) is defined as an efficient and isolated duplicate of a real machine. This environment is created by using Virtual Machine Monitor (VMM) which provides a second layer on a machine for another operating system to run on it. VMM reproduces everything from the CPU instruction to the I/O devices in software of operating system which it run on. Virtualization in VM involves mapping of virtual resources, for example, the register and memory to real hardware resources and it also use the host machine instruction to carry out the actions specified by VMM. This is done by emulating the host ISA.

VMware is a company that provides virtualization software for x86-compatible computers. VMware Inc. is a subsidiary of EMC Corporation and has its headquarters in Palo Alto, California. The term "VMware" is often used in reference to specific VMware Inc. products such as VMware Workstation, VMware Virtual Desktop Infrastructure, VMware Player and VMware Server.

VM, which stands for "Virtual Machine" (not to be confused with the broader term virtual machine), is a widely-installed operating system for IBM-compatible computers and servers that can host other operating systems in such a way that each operating system behaves as if it were installed on a self-contained computer with its own set of programs and hardware resources.

VMware Workstation makes it simple to create and run multiple virtual machines on desktop or laptop computer. We can convert an existing physical PC into a VMware virtual machine, or create a new virtual machine from scratch. Each virtual machine represents a complete PC, including the processor, memory, network connections and peripheral ports.

VMware Workstation lets us use our virtual machines to run Windows, Linux and a host of other operating systems side-by-side on the same computer. You can switch between operating systems instantly with a click of a mouse, share files between virtual machines with drag-and-drop functionality and access all the peripheral devices you rely on every day.

VMware Workstation Installation.

Installing VMware Workstation

Finally, we take a look at the installation process. Start the installation by running the file VMware-workstation-6.0.0-45731.exe and following the screen shots below.

Screen 1: - Welcome



The first screen is simply a Welcome screen. Click [Next] to start the installation process.

Screen 2: - Setup Type



Choose a setup type of "Typical" and click [Next] to continue.


Screen 3: - Destination Folder



The default destination folder for VMware is C:\Program Files\VMware\VMware Workstation\. I typically keep the default. Click [Next] to continue.


Screen 4: - Configure Shortcuts




The installer can automatically create shortcuts for easy access to the VMWare application. I generally choose to keep all shortcuts checked. Click [Next] to continue.


Screen 5: - Ready to Install the Program




This screen is pretty much a confirmation screen. To start the installation process, click [Install].


Screen 6: - Installation Progress



The installation process...


Screen 7: - Registration Information



The next dialog asks for user information and serial number for the product. Although this is an optional step (it can be completed at a later time) I typically get it out of the way and enter all information required. Click [Enter] or [Skip] to continue.


Screen 8: - Installation Wizard Complete




And that's all there is to it. VMware is now installed and ready for you to start creating virtual machines. Click [Finish] to exit the installation wizard.


Screen 9: - Reboot Machine



After installing VMWare Workstation, the installation wizard prompts you to reboot the machine. Click [Yes] to reboot the machine.


Starting VMware Workstation



The VMware installer will create an icon on the Windows Desktop as well as the Quick Launch bar. To start VMware Workstation click either one of these icons.

When starting VMware Workstation for the first time, we are asked to read over and accept the user license agreement. If we agree with the user license agreement, select "Yes" click [OK] to start VMware Workstation.

At this point, weccan start to use the VMware Workstation software to create (or run) our own virtual machines.

Password

From my point of view, A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (Example: An access code is a type of password). The password must be kept secret from those not allowed access.

There are several use of password, the use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword. Sentries would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving e-mail from servers, accessing programs, databases, networks, web sites, and even reading the morning newspaper online.

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.

For the purposes of more compellingly authenticating the identity of one computing device to another, passwords have significant disadvantages (they may be stolen, spoofed, forgotten, etc.) over authentications systems relying on cryptographic protocols which are more difficult to circumvent.

Authentication methods

There are several aunthentication method avaliable to use in securing an application

Password

A password is a form of authentication which uses secret data to control access to something.

Seals

A seal is a kind of device, an emblematic design used to identify the adopter.
A seal can be a wax seal bearing an impressed figure, or an embossed figure in paper, with the purpose of authenticating a document, but the term can also mean any device for making such impressions or embossments, essentially being a mould that has the mirror image of the figure in counter-relief, such as mounted on rings known as signet rings. This article is concerned with devices and methods for making such imprints.

If the imprint is made as a relief resulting from the greater pressure on the paper where the high parts of the seal touch, the seal is known as a dry seal; in all other cases a liquid or liquified medium (such as ink or wax) is used, usually in another color than the paper's.

Smart cards

A smart card, chip card, or integrated circuit card (ICC), is any pocket-sized card with embedded integrated circuits which can process data. This implies that it can receive input which is processed — by way of the ICC applications — and delivered as an output. There are two broad categories of ICCs. Memory cards contain only non-volatile memory storage components, and perhaps some specific security logic. Microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally PVC, but sometimes ABS. The card may embed a hologram to avoid counterfeiting. Using smartcards also is a form of strong security authentication for single sign-on within large companies and organizations.

Biometrics

iometrics refers to methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In information technology, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance.

Biometric characteristics can be divided in two main classes:

Physiological are related to the shape of the body. Examples include, but are not limited to fingerprint, face recognition, DNA, hand and palm geometry, iris recognition, which has largely replaced retina, and odor/scent.

Behavioral are related to the behavior of a person. Examples include, but are not limited to typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics for this class of biometrics.

Message authentication codes

In cryptography, a message authentication code (often MAC) is a short piece of information used to authenticate a message.

A MAC algorithm, sometimes called a keyed (cryptographic) hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content, and so should be called Message Authentication and Integrity Code: (MAIC).


Watermarking

A number of authentication systems are known by the general term of "watermarking" methods, since they rely on embedding authentication information into another information bearer, by analogy with the watermarking of paper.

A watermark is a recognizable image or pattern in paper that appears as various shades of lightness/darkness when viewed by transmitted light (or when viewed by reflected light, atop a dark background), caused by thickness variations in the paper. There are two main types of watermark, the Dandy Roll process, and the more complex Cylinder Mould process. A watermark is very useful in the examination of paper because it can be used for dating, identifying sizes, mill trademarks and locations, and the quality of a paper.

Watermarks vary greatly in their visibility; while some are obvious on casual inspection, others require some study to pick out. Various aids have been developed, such as watermark fluid that wets the paper without damaging it. Encoding an identifying code into digitized music, video, picture, or other file is known as a digital watermark.

What is Authentication?

Authentication is the process of verifying that a user has the right to access a system with the claimed user identity, by confirming that the user possesses a secret assigned only to that identity. The most common authentication methods involve comparing the user name and password supplied by the user with those stored for that user in some centralized location.

Caesar Ciphers

One of the earliest substitution cipher described by Julius Caesar in the Gallic Wars. qIn this cipher each of the letters A to W is encrypted by being represented by the letter that occurs three places after it in the alphabet. qAlthough Caesar used a ‘shift’ of 3, a similar effect could have been achieve using any number from 1 to 25. ¤In fact any shift is now commonly regarded as defining a Caesar Cipher.

The encryption key and decryption key are both determined by a shift but the encryption and decryption rules are different. qWe could have changed the formulation slightly to make the two rules coincide and have different encryption and decryption keys. ¤A shift of 26 has the same effect as a shift of 0 and, for any shift from 0 to 25, encryption with that shift is the same as decryption with the new shift obtained by subtracting the original shift from 26. ¤E.g: encryption with shift 8 is the same as decryption with shift 26 - 8 =18.

¤This enable us to use the same rule for encryption and decryption with the decryption key 18 corresponding to the encryption key 8. Caesar ciphers are vulnerable to exhaustive key search attack. ¤To work through all the 26 keys. Furthermore the key can be determined from knowledge of a single pair of corresponding plaintext and ciphertext characters.

single key search may not identify the key uniquely. ¤It is much more likely merely to limit the number of possibilities by eliminating some obviously wrong ones. ¤An exhaustive search for the encryption key for cryptogram HSPPW yields two possibilities that lead to complete English words for the assumed message. ¤These shifts are 4, that gives DOLLS, and 11, that gives WHEEL. ¤When this happens we need more information, possibly the context of the message, or some extra ciphertext, before we can determine the key uniquely.

Cryptography Concept

Cryptography Terminology

Until modern times cryptography referred almost exclusively to encryption, which is the process of converting ordinary information (plaintext) into unintelligible gibberish (i.e., ciphertext). Decryption is the reverse, in other words, moving from the unintelligible ciphertext back to plaintext.

A cipher (or cypher) is a pair of algorithms which create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key. This is a secret parameter (ideally known only to the communicants) for a specific message exchange context. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Historically, ciphers were often used directly for encryption or decryption without additional procedures such as authentication or integrity checks. In colloquial use, the term "code" is often used to mean any method of encryption or concealment of meaning. However, in cryptography, code has a more specific meaning. It means the replacement of a unit of plaintext (i.e., a meaningful word or phrase) with a code word (for example, apple pie replaces attack at dawn). Codes are no longer used in serious cryptography except incidentally for such things as unit designations (e.g., Bronco Flight or Operation Overlord)- since properly chosen ciphers are both more practical and more secure than even the best codes and also are better adapted to computers as well.

plaintext - original message
ciphertext - coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key
cryptology - field of both cryptography and cryptanalysis

Cryptography Algorithms

Classified along three independent dimensions:
The type of operations used for transforming plaintext to ciphertext
The number of keys used
symmetric (single key, or private-key encryption)
asymmetric (two-keys, or public-key encryption)
The way in which the plaintext is processed

Symmetric algorithms P=D(K,E(K,P))

Asymmetric algorithms P=D(Kd, E(Ke, P))


Symmetric vs. Asymmetric

If the system issymmetric, then there may be a need to distribute a secret key value before secret messages can be exchanged. ¤One of the most difficult aspects of obtaining a secure system.

If the system is asymmetric, then it may be possible to avoid this particular problem by distributing only the encryption keys, which do not need to be secret. ¤However it is then replaced by the problem of guaranteeing the authenticity of each participant’s encryption key.

Methods use in Cryptography Algorithm

¨Substitution ¤monoalphabetic substitution nFormed by shifting the letters of the original alphabet ¤polyalphabetic substitution nExtension of monoalphabetic substitution system nUsing Vigenere Tableau ¨Transposition ¤unkeyed transposition nRearrange letters by using matrix ¤keyed transposition nRearrange letters by using matrix where the size of matrix is determined by the length of the key used.

Data encryption


Data encryption refers to the process of transforming electronic information into a scrambled form that can only be read by someone who knows how to translate the code. Encryption is important in the business world because it is the easiest and most practical method of protecting data that is stored, processed, or transmitted electronically. It is vital to electronic commerce, for example, because it allows merchants to protect customers' credit card numbers and personal information from computer hackers or competitors. It is also commonly used to protect legal contracts, sensitive documents, and personal messages that are sent over the Internet. Without encryption, this information could be intercepted and altered or misused by outsiders. In addition, encryption is used to scramble sensitive information that is stored on business computer networks, and to create digital signatures to authenticate e-mail and other types of messages sent between businesses.

Encryption comes from the science of cryptography, which involves the coding and decoding of messages in order to protect their contents. Modern computer technology has vastly increased the complexity of encryption—which is usually accomplished using complicated mathematical principles—as well as the ability of people to break codes. A wide variety of data encryption programs are available on the Internet. In fact, encryption programs are already incorporated in many Web browsers, e-mail systems, and operating systems. Computer security experts stress that small businesses should take advantage of the availability of encryption programs to protect their data, particularly when it is transmitted over the Internet. Some business owners make the mistake of believing that their information will be lost in the huge sea of data flowing through the Internet, or of assuming that no one would be interested in their messages. But it is very easy for outsiders to gain access to unprotected data, and it only takes one unscrupulous individual to create tremendous problems for a company. The most popular use of encryption is in electronic commerce. The majority of retailers who do business online use data encryption programs to protect their customers' private financial data. Despite the occasional story of hackers stealing credit card numbers, online retailers claim that making purchases over the Internet is as safe as handing a credit card to a waiter at a restaurant. "The types of encryption methods in place today are practically unbreakable by any reasonable means," said John Browne of Microsoft in Chain Store Age Executive. "Retailers need to understand that consumers will want to shop on the Internet and that it is an excellent place for merchandising." When a customer makes a purchase online, their financial data is automatically encrypted by a program built into their Web browser. Then the encrypted data is transmitted safely to the merchant, who is able to decrypt it using a key. In general, this entire process is accomplished with the click of a mouse button and is transparent to both the consumer and the merchant.

Types of Encryption Programs

There are two main types of data encryption systems. In the first which is variously known as private key, single key, secret key, or symmetric encryption both the sender and the recipient of the data hold the same key for translation. This single key is used both to code and decode information that is exchanged between the two parties. Since the same key is used to encrypt and decrypt messages, the parties involved must exchange the key secretly and keep it secure from outsiders. Private key encryption systems are usually faster than other types, but they can be cumbersome when more than two parties need to exchange information. The second, and more commonly used, type of data encryption system is known as a public key system. This type of system involves two separate keys: a public key for encoding information; and a private key for decoding information. The public key can be held and used by any number of individuals and businesses, whereas only one party holds the private key. This system is particularly useful in electronic commerce, where the merchant holds the private key and all customers have access to the public key. The public key can be posted on a Web page or stored in an easily accessible key repository. Public key encryption systems are widely available on the Internet and are heavily utilized by large companies like Lotus and Microsoft.

The best-known data encryption program is called RSA. It was developed in the late 1970s by three graduates of the Massachusetts Institute of Technology—Ronald Rivest, Adi Shamir, and Leonard Adleman. As of 2000, there were 300 million copies of the RSA encryption program installed on computer systems worldwide. RSA scrambles data based on the product of two prime numbers, each of which are 100 digits long. RSA is as a public key encryption system, meaning that many people can use it to encode information, but only the person who holds the key (or knows the value of the two prime numbers) can decode it again. RSA is embedded in hundreds of popular software products, including Windows, Netscape Navigator, Quicken, and Lotus Notes. It is also available as a free download from the World Wide Web.

Password Selecting Strategies

These days, it isn’t good enough just to have a password that someone else won’t guess. In order for your password to be secure it should be long – a minimum of 8 characters is standard – with a wide array of letters, numbers, and symbols. The need for this complexity comes from the advancement of password crackers, sometimes called password recovery programs, which can test several millions of pass-phrases per minute.

Here are a few things to never use as a password:

- your name
- your username
- your pet’s name
- your birthday
- your SSN
- your phone number
- your bank PIN
- a dictionary word
- a name
- any password shorter than six characters

Length is shown to have a large impact on crack time. Password length to crack time is an exponential function. Therefore, by adding one character to the end of any given password, it does not just make it more difficult to crack by a constant multiple, but rather, the exponent in the equation is incremented by one.

Password Length:

Time taken to crack password

The time it takes to crack password-protected Microsoft Office files has tumbled from a 25-day average to a matter of seconds, thanks to a decades-old code-cracking technique that until recently was not viable.

The technique, described in a 1980 paper, A Cryptanalytic Time - Memory Trade-Off, involves pre-generating a massive "rainbow table" of passwords and their corresponding hashes - the encrypted strings of numbers computers use to verify passwords.

Until now, the terabytes of storage needed to write the tables haven't been available. But cheap storage means rainbow tables are in vogue in the IT security industry. "Take a look at hard-drive storage. I buy terabytes like I used to buy megabytes," says Christian Stankevitz, the laboratory manager for Chicago-based IT security consultancy Neohapsis.

In the past, passwords were cracked by randomly guessing at the correct string of characters in what's known as a "brute force" attack. In these assaults, the encrypted form of the password - the hash - is extracted from the target file or computer. A randomly generated password is encrypted and its encrypted form is compared to the extracted hash. If it doesn't match, the process is repeated until a match is found - it's a long and tedious process.

With rainbow tables, the encrypted form of most possible passwords are pre-computed and stored alongside the actual, clear-text password. Users can simply look up virtually any hash in the massive index and match it to the corresponding password in seconds.

The tables can break password protection in many common file formats, including versions of Adobe's PDF format (the current version is immune to the attack), the default encryption on protected Microsoft Office documents (40 bit) and even Windows password files.

Time taken to crack password:

No. Characters	Total Combination	by human	by 1MIPS Comp
1	36	3 minutes	.000018s
2	1300	2 hours	.00065s
3	47000	3 days	.02s
4	1700000	3 months	1 s
5	60000000	10 years	30s
10	37x1014	580 Million y	59years

Techniques for guessing passwords

Even without sharing our passwords, hackers can use different computer
techniques to crack the passwords. Hackosis calculator gives an idea how strong the password and how long it will take a computer program to crack a password.

Hackers widely use the "dictionary attack" or the "brute force" method to break a password. And many of them use these methods to find the password without using a super computer.

The "dictionary attack" method uses mostly words in the dictionary to guess the passwords and may add a number at the beginning or in the end for best guesses. The "brute force" method uses a crypto analysis techniques to find more complex words that has a combination of "alpha" "numeric" and "special" characters in them.

Techniques for guessing passwords:

Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary(60,000).
Collect information about the user’s hobbies, family names, birthday, etc.
Try user’s phone number, social security number, street address, etc.
Try all license plate numbers
Use a Trojan horse
Tap the line between a remote user and the host system.

Passwords Protection

Protection of passwords

Step 1

Create passwords with unique combinations of letters, numbers and symbols that are hard for other people to guess. Consult Microsoft's Password Checker to see if your password is easy to guess or difficult to crack.

Step 2

Change your passwords regularly. Then in the event someone has retrieved a password of yours, that person won't be able to use it for long.

Step 3

Have different passwords for different websites and applications. If you keep the same password for every site or program, someone who obtains that password can access everything.

Step 4

Cancel the option to save your password when software applications offer it. This option seems convenient, but it just allows anyone who has access to your computer access to your life.

Step 5

Use only secure web browsers, email and File Transfer Protocol (FTP). Encrypted connections protect your interests and keep your passwords and related information safe from hackers.

Step 6

Refrain from writing down your passwords, emailing them or sharing them in any other way with anyone else, even your best friend or spouse. In the event you do need to write passwords down, protect them by keeping them in very safe places where you are positive no one else will find them.

Step 7

Avoid accessing password-protected sites when using computers at public places like libraries and Internet cafes. You never know who will use the computer after you are finished with it.

Easy to remember, hard to guess password

The easier a password is for the owner to remember generally means it will be easy for a hacker to guess. Passwords which are difficult to remember will reduce the security of a system because:

(a) users might need to write down or electronically store the password.
(b) users will need frequent password resets.
(c) users are more likely to re-use the same password.

Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.

However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is like asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises the first letter). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' --> '3' and 'I' --> '1', substitutions which are well known to crackers. Similarly typing the password one keyboard row higher is a common trick known to crackers.