Secrets of a super hacker by Matt Moore

on the fly - or restraints may be used in the generating procedures, such that each passcode conforms to a prearranged constitution (like "abc-12345-efgh" where letters and numbers are randomly generated). Or, computer-produced passwords may be taken randomly from a list of words or nonsense syllables supplied by the pro-gram authors, thus creating passwords like nah.foop" or "car-back-tree". Half and halves are partially user-supplied, while the rest is composed by some random proc-ess. This means that even if a user supplies the eas-ily-guessed password "secret," the computer will tack on some abstruse gibberish at the end, forming a more secure password such as "secret/5rhll". Pass phrases are good in that they are long and hard to guess, but easily remembered. Phrases may be coherent, such as It we were troubled by that," or they may be nonsensical: "fished up our nose." Pass phrases are used when the manager of a site is particularly security-conscious. Usually you don't see pass phrases required by a system, although the programming required to enforce a pass phrase rule is trivial. Related to the pass phrase concept is the phrase acronym, which security experts have been ap-plauding as a short but equally safe form of pass-word. In a phrase acronym, the user takes an easily remembered sentence, phrase, line from a song or poem or other such thing, and uses the first letter of each word as the password. For example, the acro-nyms for the two pass phrases above would be wwtbV and "fuon." You can see that innovations in password theory such as this will greatly in-crease the difficulty hackers will encounter in fu-ture electronic espionage. The sixth password type, question-and-answer sequences, requires the user to supply answers to several (usually personal) questions: "Spouse's maiden name?", "Favorite color?", etc. The com-puter will have stored the answers to many such questions, and upon login will prompt for the an-swer to two or three of them. These ques-tion/answer sessions can be delicious to the hacker who is intimately familiar with the user whom he or she is attempting to impersonate. Systems which use question-and-answer sequences also tend to be programmed to interrupt users while online every X minutes, and require them to answer a question to reaffirm their validity. This can get pretty annoy-ing, especially if someone's in the middle of an ex-citing online game when it happens. Q&A is used only rarely nowadays. When it was first proposed it seemed like a good idea, but the bothersome fac-tor has resulted in this method being pretty much phased out. Passwords which are predetermined by code-indicating coordinates usually rely on some external device, such as the code wheels used to de-ter software piracy. In any case, a set of key prompts are offered by the computer, and the user is required to return the appropriate responses to them. You'll often see this type of password being used on a system with once-only codes. Once-only codes are passwords valid for only one access. Sometimes they are used as temporary guest accounts to demonstrate a system to potential clients. Onceonly codes may also be employed by the system to allow actual users to log in for the first time; the users will then be expected to change 36 their password from the one provided to a more se-cure, personal code. In situations where groups of people must log in, but security must be main-tained, a list of onceonly codes may be provided. Users then extract one code at a time, depending on external factors such as time, date or day. Maybe you can find a list of codes by going through the garbage of a place? The codes won't work anymore, but you'll get a sense of what the system expects from you. Passwords Supplied By The User