How To Choose a Password
Your password is what tells the computer that you are who you say you are. Until we can do retina scans like in James Bond movies, the password is the best that we can do. But, because your password is like a key to your account, you need to safeguard it. Anyone who has your password can get into your account, and your files. Anyone who can guess your password has it. Anyone who has your password can pose as you. Therefore, you may be held responsible for someone else’s actions, if they are able to get your password. You may not wish this to happen.
Tips on safeguarding your password
- First and foremost, NEVER give your password to anyone. “Anyone” means your coworkers, your spouse, your systems administrator. In the event of an emergency, the sysadmin can change your password. Your sytems administrator never has a need to know your personal password. If someone needs to get onto our machines, and has a reason to be here, do not give them access to your account. Speak to the systems staff about us setting up an account for them. We would be very happy to give them one.
- Make your password something you can remember. Do not write it down. If you really, honestly forget your password, we can easily give you a new one. We’d rather set your password once a month because you forgot it than have someone find it written down and gain unauthorized access to your account.
- Make your password difficult for others to guess. This is not as hard as it initially seems. See the section below on chosing a good password.
- DO NOT Change your password because of mail from someone claiming to be your systems administrator, supposedly needing access to your files!! This is a popular scam in some circles. Remember, your systems administrator never needs your password for any reason. If someone needs to ask you to change your password so that they can gain entry to your account, they do not have reason to be there.
We run sophisticated password crackers on the password files of our machines. If we guess your password, you will have to come see a staffer to have it changed. These are the same crackers that the bad guys have access to, so if you have a weak password, it’s better if we find out about it first.
How Not to Choose a Password
Here are some of the types of passwords that will be picked up by our crackers:
- Words in the dictionary.
- Words in any dictionary.
- Your user name.
- Your real name.
- Your spouse’s name.
- Anyone’s name (crackers don’t necessarily know that your aunt’s middle name is Agnes, but it’s easy enough to get a list of 100,000 names and try each one).
- Any word in any “cracking dictionary.” There are lists of words that crackers use to try to crack passwords: passwords that a lot of people use. Some of these lists include:Abbreviations, Asteroids, Biology, Cartoons, Character Patterns, Machine names, famous names, female names, Bible, male names, Movies, Myths-legends, Number Patterns, Short Phrases, Places, Science Fiction, Shakespeare, Songs, Sports, Surnames
- Any of the above, with a single character before or after it (“8dinner”, “happy1”).
- Any of the above, capitalized (“cat” –> “Cat”)
- Any of the above, reversed (“cat” –> “tac”), doubled (“cat” –> “catcat”) or mirrored (“cat” –> “cattac”).
- We used to tell people that taking a word and substituting some characters (a 0 (zero) for an o, or a 1 for an l) made a good password. This is no longer the case. New crackers have the capability to crack things like this, in certain situations.
- Words like “foobar”, “xyzzy” and “qwerty” are still just plain words. They are also popular passwords, and the crack programs look for them. Avoid them.
- Any of the sample passwords, good or bad, mentioned in this document.
How to Choose a Good Password
I know that coming up with a good password can be difficult, so here are some guidelines to use.
- Choose a password that is at least six characters long. This should be long enough to discourage a brute-force attack. Currently, the maximum password length on many Unix systems is eight characters, but if you want to add a few more characters to make it easier to remember, go ahead. Just bear in mind that anything after the eighth character will be ignored (so “abnormalbrain” is the same as “abnormal”).
- In general, a good password will have a mix of lower- and upper-case characters, numbers, and punctuation marks, and should be at least 6 characters long. Unfortunately, passwords like this are often hard to remember and result in people writing them down. Do not write your passwords down!
- The license plate rule: take a phrase and try to squeeze it into eight characters, as if you wanted to put it on a vanity license plate.
- Some people like to pick several small words, separated by punctuation marks of some kind.
- Put a punctuation mark in the middle of a word, e.g., “vege%tarian”.
- Use some unusual way of contracting a word. You don’t have to use an apostrophe.One of my favorite passwords was “kEp*-h&y”: “kEp” –> “keep”, “*-” –> “laser” (like those signs that you see outside of physics labs), and “h&y” –> “handy”; “Keep your laser handy!”
- You can use control characters. Just bear in mind that a lot of them have special meanings. If you use ^D, ^H or ^U, for example, you might not be able to log in again.
- Think of an uncommon phrase, and take the first, second or last letter of each word. “You can’t always get what you want” would yield “ycagwyw”. Throw in a capital letter and a puntuation mark or a number or two, and you can end up with “yCag5wyw”.
- Deliberately misspelling one or more words can make your password harder to crack.
- Use several of the techniques above.
- Something that no one but you would ever think of. The best password is one that is totally random to anyone else except you. It is difficult to tell you how to come up with these, but people are able to do it. Use your imagination!