|
|
Accounts and Passwords - Password Guidelines
The following is a list of DOs and DON'Ts for choosing your password.
Some DOs:
- Use a password that is easy for you to remember so you don't have to write it down.
- Consider misspelling two words and sticking them together to create a nonsense word.
- Consider taking two short words and concatenating them together with a number between them
- Consider using the first letter of every word of a phrase, poem, song etc. Make sure you do not choose a common phrase or song (for example: Star Spangled Banner). For example:
- phyrekat4 (fire cat 4)
- dog2rain
- Consider changing vowels to numbers. o = zero, i = one, e = three, a = four. For example:
- b1gc0w (big cow)
- t1gg3r (tigger)
- Use a password you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
- Consider using a combination of dates, abbreviations, initials, etc that have some kind of meaning to you but are difficult to guess. For example:
- anb5in99(Amy and Brad's fifth anniversary is in 99)
- 1sth0997(Purchased your first home in September 97)
Some DON'Ts:
- Don't use any word found in any dictionary in any form.
- Don't change the capitalization of the word, or reverse the lettering of it.
- Don't double the word.
- Don't use geographical names, words from an encyclopedia, or words from any other language. For example:
- secret
- secret2secret
- scotland2
- treceS
The reason for this is that first thing password cracking programs will try as a user's password are words from a dictionary. The dictionary the password cracker uses is often very large, containing words from various dictionaries and word lists. On UNIX systems this includes /usr/dict/words. People around the world have turned nearly every language's dictionary (including languages like Klingon) into a dictionary for a password cracking program.
- Don't use any name. First and last names are likely to be part of the dictionary the password cracking program will try (it is likely that someone has converted A 1001 Baby Names to a Crack Dictionary). Also, your name, the name of a person close to you or a pet’s name is something a hacker could find out about you. Anything a person can learn about you is a bad password.
- Don't use your birthday, your spouse's birthday, children's birthdays, any other relative's birthday. Never use your anniversary. For example:
Birthdays and anniversaries fall into the category of something a hacker could learn about you by looking up public records, therefore they are bad passwords. Using all digits is prohibited because it greatly reduces the search space a hacker must examine to find your password.
- Don't use your phone number (home or work) or address (home or work). Never use phone numbers or addresses of relatives or close friends. For example:
- phone2863016 (phone number)
- 535Beacon (address)
Again, phone numbers and addresses are very easy pieces of information a hacker could learn about you, and phone number, like dates, are mostly digits which rules them out a second time.
- Don't use your license plate or the make and/or model of your car. For example:
- GrandPrix425
- Chevrolet1000
The make and model of all major vehicles are included in most password cracking dictionaries and some hackers have been known to write software to generate a list of all possible valid license plates for a given state. These are also a few more things that are easy to learn about you.
- Don't use any of your hobbies, interests, favorite sports teams, favorite music bands, favorite books, favorite movies, etc. For example:
- NYyankees1999
- AchristmasCarol98
- Don't use any word, phrase, symbol, abbreviation, etc. describing where you work or go to school, the project that you are working on, or anything found in your plan or project files. For example:
- SUBrm232 (Student Union Building, room 232)
Once more, a hacker can easily learn these things about you. Also, these types of things are often found in either the plan or project files for users. At least one popular password cracking program (Crack) can be configured to read every users' plan file and add every word in that file to the dictionary used by that program.
Just some general rules regarding your password:
- NEVER share your password with anyone else for any reason.
- NEVER write your password down anywhere.
- NEVER send your password in an e-mail message.
- DO NOT contact your helpcenter administrator by e-mail to report anything security related. If someone has broken into the computer you can safely assume they can read any and all mail messages and files on the system. Call the Help Desk at x711 from on campus or 866-295-3070 from off campus.
- ALWAYS use different passwords for different administrative domains (work, home, etc). If the systems have different administrators your account should have different passwords.
- ALWAYS change your password if you think it has been cracked or if you are told to by your administrator.
- The only exception to this rule is if someone claiming to be an administrator asks you to change your password to a string they provide. In this case do not change your password, the person is likely trying to break-in using your account with this new password.
- ALWAYS inform the Help Desk if you think your password has been cracked or if you are asked to change your password to a given value as in the example above.
|
|
|
ETS Links
|
|
|
|
|
|
