Security Awareness

Passwords FAQ

Passwords

 

Passwords

Why are passwords so important?

Passwords are one of the first lines of defense that you have to protect a computer system and the data stored in it. Unfortunately, people are not accustomed to remembering difficult passwords consisting of numbers and weird characters.

The ever-increasing number of passwords required to work in today's world only makes this problem worse. Many people have compensated for this problem by writing down their password and keeping that information in an unsecured area, like stuck to a computer screen. Passwords should not be written down. This is a violation of University Data and Computing Guidelines.

Some of the biggest no-no's with regard to password sharing and usage are: password sharing, using common names such as your spouse, children, and pets as your password, sending your password in an clear text form, creating passwords that are too short, and creating passwords that are all alphabetic or all numeric.

For convenience sake, most users would like to pick one password, and

1) use it for all of their accounts,

2) use it all the time,

3) never have to change it, and

4) write it down so that they can reference it if they happen to forget it during vacation.

However, the problem is if the password is easy to remember, it is easy to guess. If the password is written down, guessing doesn't even matter. And if the password is never changed, then repeated attacks are more likely to occur. One of the first things a hacker will attempt to do against a system is run a program that will attempt to guess the correct password of the target machine. These programs can contain entire dictionaries from several different languages.

In addition to words found in dictionaries, these programs often contain words from popular culture such as movies and novels. Hackers like to attack people's weaknesses. One of the major weaknesses is the reluctance to remember several, long, difficult to guess words such as passwords. Therefore, once one is chosen, the likelihood that the same password is used for several accounts is very high. If this is not a strong password, several accounts are vulnerable.

This is similar to the problem with default passwords because users have a tendency to keep the same password for a long period of time, thereby allowing the attacker that much more time to gain access to a system. The best passwords are non-words that include at least one number. For example, you can use the first letters from the words in a phrase/song - I Love Paris In The Spring. The password would be ILPITS6.

Date Revised : 2003-06-05

Back to top

What should I know about creating a good password?

Every year thousands of computers are illegally accessed because of weak passwords. The following is a list of the things a user should NOT do:

  • Write down a password on a sticky note placed on or near your computer.
  • Use a word found in a dictionary. That's right, a dictionary. Any dictionary!
  • Use a word from a dictionary followed by 2 numbers.
  • Use the names of people, places, pets, or other common items.
  • Share your password with someone else.
  • Use the default password provided by the vendor.
  • Date Revised : 2003-06-05

    Back to top

    Why do some computer systems restrict what I can use for a password and others do not?

    Different computer systems contain different features. These features include restricting the length and content of your password (e.g., requires at least 1 digit, can not use the logon/operator id or your name in the password, requires a special character such as # or %, etc.), or comparing your password to a list of restricted words (words you can not use as a password).

    Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

    Date Revised : 2006-03-22

    Back to top

    Can I share my logon id/operator id and password?

    No. Logon/operator ids should never be shared. You should also not log onto a computer or into an application with your logon/operator id and then let someone use your access. Both situations are a violation of the University Responsible/Acceptable Use of Computing and Data Resources

     

    If someone else needs access they should apply for their own logon/operator id.

    Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

    Date Revised : 2006-03-22

    Back to top

    Can I store my password in the computer or in a program so I don't have to type it in?

    No. You should never store access passwords in batch files, in automatic login scripts, in terminal function keys, or in computers, or in other locations where another person might discover them. By storing your passwords so you don't have to enter them you are leaving your computer account/system open to misuse. You are responsible for any security breaches performed using your ids/accounts.

    Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

    Date Revised : 2006-03-22

    Back to top

    Does it matter what I use for a password?

    Yes, the easier the password is, the easier it is for a hacker to guess it. You should select a password that is difficult to guess and is NOT personally related to you. Don't pick a password that someone can easily guess. What types of things are easy to guess? Here's a list of things that you should not use because they are easy to guess:

  • Your logon/operator id in any form (as-is, reversed, capitalized, doubled, etc.)
  • Names (first, last or nick name)
  • Information easily obtained about you (e.g., your birth date, spouse/ partner's name, pet's name, favorite sports team, license plate numbers, telephone numbers, the brand of your automobile, the name of the street you live on, etc.)
  • Employee or social security number . Repeating characters (e.g., 111111 or ababab).
  • Common character sequences (e.g. "123456" or "abcdef"), or Common words that can be found in a dictionary.

    Here are some tips on creating good, secure passwords: It is best to use non-word that does not contain all numbers or all letters. Use a combination of letters and numbers. For example, you can use the first letters from the words in a phrase, song or rhyme to help you remember: I Love Paris In The Spring ( ILPITS6); My four children are wonderful when they're sleeping (M4CAWWTS); My anniversary is April 4 remember that date (MAIA4RTD) Ali Baba had forty thieves (ABH40T). Try substituting letters for numbers (or vice versa), such as : E equals 3, I equals 1, for equals 4, two equals 2, B equals 8, see or sea equals C, etc. For example: Use R3DJ3LLO instead of REDJELLO (substitute the E's with 3's) Use BCL1NT0N instead of BCLINTON (substitute I & L with 1's and O with zero). Use keywords related to a theme. Choose a common, significant event: a honeymoon, the birth of a child, a new car, a new job. Example phrases associated with a birth might be blueeyes4, hurry7, onepush9, crankyRN1, roomsix2 and icechips5. Ideas associated with a new car could be deepblue4, 6CDs, 5speed and TiresGrip7. The idea here is that you use a variety of words associated with an event that other people would not readily guess. Consistently capitalize the nth letter(s) of your password. Some systems require that at least one character be uppercase. Many people capitalize the first character, but this is too predictable. Instead, always capitalize the second, third or fourth letter, or perhaps always the last or next-to-last. Some examples: huRry2, roCky9, puRple6, roCket7. For further interest, you can capitalize more than one letter, for instance the first and third, or the second and fourth. Avoid predictable week-to-week or month-to-month changes. One example of a predictable pattern to avoid: eyesJan01, eyesFeb02, eyesMar03, etc. If someone was lucky enough to discover your password long ago, you don't want him to be able to predict what it will be in the future.
  • Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

    Date Revised : 2006-03-22

    Back to top

    How often does my password have to be changed?

    The time required in between password changes is set for each computer system (e.g., computer, network, etc.) or web browser based on the type of data being accessed (I.e., how sensitive or confidential it is). In general, security best practices call for 30 days in between password changes. Contact your system administrator to find out your system's specific requirements.

    Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

    Date Revised : 2006-03-22

    Back to top

    Should I tell my supervisor my password?

    It is a violation of the University's Responsible/Acceptable Use of Computing and Data Resources to permit someone to use your account. This includes giving the other person your id and password, and logging on to a computer/network with your id/password and letting the other person use your access. It may possible for the other individual to receive their own computer account that will allow access to the same information, or your system administrator may be able to allow shared access to the same file. Remember- you are the owner of your computer account. All activity (legitimate or illegitimate) within that account will point back to you and will be your legal responsibility.

     

    Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

    Date Revised : 2006-03-22

     

    Back to top

    How can I create a strong, secure password?

    Tips for creating good, secure passwords: It is best to use non-word that does not contain all numbers or all letters. Use a combination of letters and numbers.

    For example, you can use the first letters from the words in a phrase, song or rhyme to help you remember: I Love Paris In The Spring ( ILPITS6); My four children are wonderful when they're sleeping (M4CAWWTS); My anniversary is April 4 remember that date (MAIA4RTD) Ali Baba had forty thieves (ABH40T).

    Try substituting letters for numbers (or vice versa), such as : E equals 3, I equals 1, for equals 4, two equals 2, B equals 8, see or sea equals C, etc. For example: Use R3DJ3LLO instead of REDJELLO (substitute the E's with 3's) Use BCL1NT0N instead of BCLINTON (substitute I & L with 1's and O with zero).

    Use keywords related to a theme. Choose a common, significant event: a honeymoon, the birth of a child, a new car, a new job. Example phrases associated with a birth might be blueeyes, hurry, onemorepush, crankyRN, coldbracelet, roomsix and icechips. Ideas associated with a new car could be deepblue4, 6CDs, 5speed and TiresGrip7. The idea here is that you use a variety of words associated with an event that other people would not readily guess.

    Consistently capitalize the nth letter(s) of your password. Some systems require that at least one character be uppercase. Many people capitalize the first character, but this is too predictable. Instead, always capitalize the second, third or fourth letter, or perhaps always the last or next-to-last. Some examples: huRry2, roCky9, puRple6, roCket7.

    For further interest, you can capitalize more than one letter, for instance the first and third, or the second and fourth. Avoid predictable week-to-week or month-to-month changes. One example of a predictable pattern to avoid: eyesJan01, eyesFeb02, eyesMar03, etc. If someone was lucky enough to discover your password long ago, you don't want him to be able to predict what it will be in the future.

    Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

    Date Revised : 2006-03-22

    Back to top

    Is there someway to check to see if I have a strong password?

    You can check the quality of your password at SecurityStats.com. This Web site performs calculations based on the complexity and "guessability" of your password and tells you how good your password is. Remember that your password is transmitted over the Internet in the clear, so you should try similar passwords instead of your actual passwords to get an idea of the characteristics of a good one.

    Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

    Date Revised : 2006-03-22

    Back to top