Guidelines for the Selection of Secure Passwords
1. General Guidelines for Passwords
Your password is the only means the computer system uses to verify your
identity. As such, it is the primary measure protecting your account,
processes, and files on the Applied Math department's Unix workstations.
Further, if an intruder gains access to your account,
they can then compromise the security of
our entire system.
Once an intruder has access to just one account on
our system, they may be able to use that foothold to break other accounts
on the system, gain read and/or write access to the files of other users,
compromise the security of our entire cluster, impair the operation of the
entire cluster, and attack the systems, staff, and reputation of the
Applied Math Department and the entire University of Colorado.
In order to enjoy the privilege of continued use of the various
departmental computing resources, you are responsible to maintain
the security of your password and not to otherwise compromise
cluster security. Among other things, this means:
- Do not give your password to anyone else. Your account is
for your personal use ONLY. If someone does not have an account but you feel
should be allowed to use the departmental computing resources, send the person
to Computing Services to open their own account. Do not give your password
to systems staff either --- authorized computing staff people do not need
your password for any legitimate purposes.
- Do not keep written copies of your password, especially by
your computer or terminal or in a file on the computer.
- Change your password promptly whenever system
staff tell you to do so.
You should also change your password periodically
(annually?) and not return to an previously-used
password.
- Choose a secure password. Some guidelines
for selecting secure passwords are included below.
2. Guidelines for Selecting Secure Passwords
For our examples, we will consider an user named Jane Doe from
Kansas with a brother George and whose favorite movie is
Buckaroo Banzai. Her username is jdoe.
DON'Ts
- Your password should not be the same as your username, nor should it
contain your username or simple permutations of it. E.g.,
Jane should not use any of the following for passwords: jdoe,
JaneDoe, DoeJane, etc.
- Your password should not contain any personal data or simple permutations
thereof. By personal data, I mean anything which someone might associate
with you. Some examples are:
- names or nicknames of yourself, family members, pets, or
friends.
- social security numbers, phone numbers, birthdates, license
plate numbers.
- Any name, number or place associated with the university or
physics department or any other institutions
you belong to.
- Any names, terms, numbers associated with your
research specialty.
Note that the above list is not exhaustive. Basically, you do not want any
word or number which can be associated with you. So in our example, Jane
should avoid the following passwords also: jane, george, George,
kansas, etc.
- Your password should not contain correctly spelled English words.
Words in foreign languages are better, but still somewhat dangerous,
particularly if the language used can be guessed (eg your native tongue).
- Your password should not contain names of famous people, places, things,
fictional characters, movies, TV shows, songs, etc. So Jane should not use
buckaroo, banzai, startrek, kirk, etc, as passwords.
- Do not use any example passwords given here or elsewhere for your
password, (even the ones that are listed as good).
DO's
Although passwords taken from items 3 and 4 above are not good passwords
as they are, there are some tricks which can be applied to words to
make them more suitable as passwords, as is discussed below.
These tricks are also useful for making good passwords better.
A technique some people find useful for generating good passwords is to take
the first letter of a phrase to use for their password. So Jane could use
abbaed (from The Adventures of Buckaroo
Banzai Across the Eighth Dimension)
as a password (except for the fact that as an example it violates
item 5 above).
Applying the following techniques can make a bad password reasonable,
and a good password better, without making them much harder to remember.
Applying two or three of these techniques to a good password can make
it almost uncrackable.
- Embed extra characters in the word.
Symbols and control characters
are especially good. Digits are good, too. So Jane might
try: abb@8d instead of abbaed,
or buck@r0o, or ba%nz!ai.
- Misspell words, e.g. buckarew or bonzaye.
- Use unusual capitalization. All lowercase, or all
capitals, or capitilizing first letter of words
(or all but 1st letters) are somewhat common;
randomly capitilizing a letter or two is better.
So Jane might want to use bUCkarOo or baNzaI.
- Concatenate two or more words or parts of words.
- Embed one word in the middle of another, or interleave
the letters of two words, eg stkirkar (kirk in star)
or sktiarrk (star and kirk).
Again, combining two or three of the above is even better.
And DO NOT use any of the above examples as passwords.
3. In short
In short, a secure password
- is seven or eight characters in length
- contains numbers, punctuation and upper- and lower-case letters
- does not contain a colon (:)
- does not contain your user ID or anyone's name, either
forwards or reversed
- does not contain any string of characters associated with you
(your licence plate, your telephone number, etc.),
either forwards or reversed
- is not a word that can be found in any dictionary (English,
French, Spanish, biographical, specialized, etc.),
either forwards or reversed
- is a password you can remember, so you don't have to write it
down somewhere. A secure password that you can remember easily
may contain one or more misspelled or combined words, numbers
or punctuation marks (but not a colon). Some examples: brkFst42,
OKBlu'Js, Big&gr8. Don't use these examples -- invent one
of your own.