All week we’ll be posting our best guidance on how to create, protect, and manage your passwords.

Passwords are your first line of defense against hackers. Pick passwords that are difficult to crack but easy for you to remember.

What does “difficult to crack” mean?

Each time cybercriminals hack into a database of passwords, they learn more about the kinds of passwords that people use. (Come back on Friday to read Part 3 of our password series on what passwords you should never, ever use.) Now, even passwords that we think are tricky can be guessed by cybercriminals who’ve harnessed the right technology to crack passwords.

The best passwords are the most unpredictable

Stuart Schechter and other colleagues from Microsoft Research have developed a free online tool that helps you avoid passwords that are predictable. Try the tool.

A strong password:

• Contains at least eight characters.

• Does not contain your user name, real name, or company name.

• Does not contain a complete word.

• Is significantly different from previous passwords.

• Is different from passwords that you’ve used on other websites.

Get more advice on how to create strong passwords.

6 ways to protect your password

Once you’ve chosen a strong password, you can protect it from hackers by following a few simple rule:

1. Don’t share your password with friends.

2. Never give your password to people who call you on the phone or send unsolicited email, even if they claim to be from Microsoft.

3. Change your password regularly.

4. Tell your children not to share your passwords (or theirs) with anyone. Check back tomorrow for more guidance on how to help kids create and protect their passwords.

5. Evaluate password managers and other password tools carefully.  If they keep all your passwords in the cloud, they should use encryption. If the service has problems, understand that you might be locked out of your accounts.

6. Enable two-step verification. Two-step verification uses two ways to verify your identity whenever you sign in to your Microsoft account. Two-step verification is optional, but we recommend that you use it. Learn how to turn it on.

Learn more about how to protect your passwords.

All week we’ll be posting our best guidance on how to create, protect, and manage your passwords.

Passwords are your first line of defense against hackers. Pick passwords that are difficult to crack but easy for you to remember.

What does “difficult to crack” mean?

Each time cybercriminals hack into a database of passwords, they learn more about the kinds of passwords that people use. (Come back on Friday to read Part 3 of our password series on what passwords you should never, ever use.) Now, even passwords that we think are tricky can be guessed by cybercriminals who’ve harnessed the right technology to crack passwords.

The best passwords are the most unpredictable

Stuart Schechter and other colleagues from Microsoft Research have developed a free online tool that helps you avoid passwords that are predictable. Try the tool.

A strong password:

• Contains at least eight characters.
• Does not contain your user name, real name, or company name.
• Does not contain a complete word.
• Is significantly different from previous passwords.
• Is different from passwords that you’ve used on other websites.

Get more advice on how to create strong passwords.

5 ways to protect your password

Once you’ve chosen a strong password, you can protect it from hackers by following a few simple rule:

1. Don’t share your password with friends.
2. Never give your password to people who call you on the phone or send unsolicited email, even if they claim to be from Microsoft.
3. Change your password regularly.
4. Tell your children not to share your passwords (or theirs) with anyone. Check back tomorrow for more guidance on how to help kids create and protect their passwords.
5. Evaluate password managers and other password tools carefully.  If they keep all your passwords in the cloud, they should use encryption. If the service has problems, understand that you might be locked out of your accounts.

Learn more about how to protect your passwords.

Conficker is one of the most significant threat families facing organizations worldwide today; its initial impact along with its continued obstinacy shows that clearly. In the fourth quarter of 2011 – three years after its initial release – it attempted to infect just over 1.7 million computers. Conficker’s persistence is illustrated not only by the number of computers it has attempted to infect, but also by the nearly 59 million attacks launched against those computers in the fourth quarter of 2011. But perhaps the most interesting manifestation of its obstinacy is that it has been the number one threat facing businesses for the past two and a half years.

Figure 1. Conficker affects a higher percentage of business computers than consumer computers

The nature of how later Conficker variants spread is the key to understanding what makes the worm so much more of an issue for businesses than for consumer users. Initially the worm spread through the Internet solely by exploiting a software vulnerability in the Windows Server service that had been addressed months earlier in Microsoft Security Bulletin MS08-067. About one month later, Conficker was updated to spread using the Autorun feature and weak passwords or stolen login tokens. The use of weak passwords and stolen login tokens was the change that gave it a foothold in the business sector environment.

Once later variants of Conficker infect a computer, they attempt to spread by copying themselves into administrative shares of other computers on the network. First the malware tries to use the current user’s credentials to copy itself, but if that fails it attempts to exploit weak passwords; the worm uses a pre-existing list of common weak passwords that it carries with it. If that fails, Conficker remains dormant until new credentials are available. If a remote administrator logs into the infected computer to try to clean it or diagnose problems caused by the worm, Conficker uses the administrator’s login token to infect as many computers as possible. The combination of these credential-based attacks accounted for 100% of all recent infection attempts from Conficker targeting Enterprise Microsoft Forefront Endpoint Protection users on Windows 7 and Windows Vista platforms.

Figure 2. How Conficker spreads through corporate networks

Despite Microsoft removing Conficker from approximately 283,000 computers per quarter on average for the past year, the worm continues to be persistent. As an illustration of this, the average number of attacks per system throughout 2011 is on the rise. During the first quarter of 2011 the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35.

Figure 3. The average number of Conficker attacks per system is on the rise

One of the primary ways to defend against Conficker is by enforcing a strong password policy. A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer. If the worm does get inside a network, a good guide to cleaning it out can be found in the How-to: Removal of Conficker in your FCS environment blog post. Along with strong passwords, it is important to keep systems up to date by regularly applying available updates for all software being used and to use antivirus software from a trusted source, and make sure AV signatures are regularly updated.