Selecting a Password

Do not choose any of your passwords hastily. Choosing a poor password can result in your account being accessed by someone else and/or deactivated by CCIT staff.

You may think that there is nothing valuable in your accounts or it may seem that you don’t have anything to lose if your accounts are hacked, but neither of these are true. If others can gain access to your account, either because you give them the password or your password is blank or easily cracked your name and credentials can be used to:

  • Launch a cyber-attack on other computers systems around the world
  • Illegally store and distribute copyrighted materials
  • Illegally store and distribute various types of pornography, including child pornography
  • Send insulting or libelous email
  • Send hate mail from your account

People who break into your account are likely trying to steal your identity. You can lose your good name and reputation. You might be liable for crimes committed using your account credentials. Imagine how difficult it would be if obscene, racist or threatening email was sent from your account, with your name attached, to your friends, family, peers, strangers and world-wide news groups; it could be as difficult to overcome and correct as a public scandal!  CCIT offers the following adive on passwords.



Bad Password Categories

Passwords should never be:

Any word, in any dictionary, in any languageAny formal name or nickname, including your spouse's, child's, or pet's
Fictional termsThe name of any author, composer, musician, band, or actor
Movie, book or composition titlesAny special number or all numerals: 12345678   99999999  or  911911911
AcronymsCombination's of letters or patterns on the keyboard: qwerty
Phrases like yougogirl or can'touchthisGreat license plates you have seen: one2nv, upupnoa, ibuy4u
Fable titles, legendary characters or races, mythological placesNeat word/letter combination's: aTdHvAaNnKcSe (THANKS in advance)
Anything you can imagine being collected into a listPasswords that are all one case: sureischarming or DAVIDISFUNNY
  Any place name, whether city, county, country, crossroads, forest, or place of natural beauty; real or fictional

Passwords should never be a simple algorithm applied against something in #1, above:

Any word spelled backwards: special -> laicepsAppending or prefixing digits to a word: apple639 or 123apple
Substituting numbers for vowel: richard -> r1ch2rdAppending or prefixing special characters to a word: apple@ or $klingon
Common number substitutions for letters: move -> mov3Changing all, or just the vowels of a word, to numbers or special characters: banana -> bAnAnA b1n2n3 or b*nana

Passwords should not contain information that can be gathered by knowing your name or user name.

This category is really an addition to “A” above, but is dynamic depending upon your own personal information.

Your user nameYour user index/number (for Unix, the UID and GID)
User name owner information (for Unix the gecos field) which commonly contains your namePersonal details that can be derived from this information or your initials

Passwords should not  be written down or kept on un-encrypted media.
Passwords should not contain personal information that can be gathered if you are specifically targeted:

Your social security number Your license plate number
Your CWID or EKey Your street address or the address where you were born
Your pasport number The serial number from your cell phone, camera, computer or stero
Your phone number, your parent's phone number, your (or your wife's) maiden name, your mother's maiden name

This may seem to be just about everything, right? A good password needs to be something that is not derivable in a semi-automatic manner. The above categories A-C represent known information, or easily derived information, that can be exhaustively applied by a hacker to break your password. Category D represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem to be a very remote possibility, if you are ever personally targeted, it is potentially much more damaging.



Three final items:

  • Make sure you know how many characters the system allows for a password: a good 14 character password may become a terrible password if the system only uses the first 8 characters. The maximum number of characters for a password on the Slate cluster is 8. Passwords on the Computing Center PC network should be 8 to 14 characters.
  • Make sure you know which characters are un/acceptable by the system. Known unacceptable characters in Windows are:” / \ : ; | = , + * ? < >
  • Look at your password selection to make sure it doesn’t duplicate a bad password: a (usually) good personal password generation algorithm can generate a bad password; the good and the bad may be the result of orthogonal approaches intersecting with a bad password. For example, a potentially good password, xr3pall, would be bad if your name was Xavier Richard Pall, III.

Methods for generating good passwords;

  1. If the maximum password length is long enough, you can use two unrelated words together, perhaps separated by some punctuation or numbers.
  2. Use the first letters of words in a memorable phrase. The phrase “Mary had a little lamb” produces the password Mhall. Obviously, memorable is good but traditional or classical is risky. Make up your own phrase…
    “I got a speeding ticket on 6th Avenue” generates: igasto6a
    “He ate 9 hotdogs in 1 minute!” generates: ha9hi1m!
  3. Use grossly misspelled or mispronounced words with mixed cases. Be careful that you don’t just substitute phonetic spellings.
    Examples: fumigate -> FooMiGayT migraine -> MuhGrayNee waterbuffalo -> witTerbifLow
  4. Tighten up a good password into a better password: use both upper and lower case characters, add punctuation and/or numbers, depending on what the system allows.
    Examples: igasto6a -> iGAsto6A or Igasto6A DAVIDISFUNNY -> daVIDb!Fu~~Y
  5. If you have a good memory, use eight or more, preferably the maximum allowed, random characters.

It is critical to “tighten up” passwords that are eight characters or less. Simple, short passwords are easily cracked (decoded). The number of characters that make up a “short” password keeps growing as computers get faster. (What is considered sufficient length for a password today will be short in the future.)

After you have created a good password, how do you improve the odds of remembering it? Use your new password immediately: change your password and then logout and log back in. After ten minutes (about the length of short-term memory) use your new password again: logout and back in. (Changing your password Friday afternoon just before leaving for the weekend can make the new password very difficult to remember). If you absolutely need to write down your password, make sure that anyone seeing it or finding it cannot determine what it is: make sure that it is unrecognizable and cannot be associated with your account/user name. This is the same principle that applies to the pin number for your credit/bank card – and it can be even more costly.

How often do you need to change your password? The effective half-life of your password depends on its exposure. Piano players can read your keystrokes if they can see your hands. Did you write down your password? If you had to write it down, the fact that it was necessary does not lower the resultant risk. Was it accidentally displayed on the screen? Did you login from the hospitality suite at the conference? Do you have a nagging feeling that you should change it? Is it a good, strong password? It is better to have a good password for months than a bad password for days.