IT Times Logo
IT Times Logo

Table of Contents
About the IT Times
Back Issues
Talk to us!
Search the IT Times
  

iLmHiS#F

Is Your Password Secure?

by Lanette Olsen

Editor's Note:This article is available as a Quick Tip document entitled "Password Security: Selecting and Storing Your Passwords." It will be permanently archived on the Web at http://it.ucdavis.edu/pubs/quicktips/. You can get a paper copy at I.T. Express, in 182 Shields Library.

Security: Measures adopted to guarantee freedom or secrecy of action, communication, or the like.

Password: A secret word or phrase that one uses to gain admittance or access to information.

Your password, your secret word or phrase, allows only you access to the University of California, Davis' computing resources. Like the key to your home's front door, it provides security, keeping out unwanted intruders. Would you ever be careless or cavalier with your house keys, leaving them lying around to be picked up by just anybody? And in this day and age, how many people hide them underneath the front door mat? Not many. So then, why are electronic passwords still scribbled on sticky notes on computer screens or stashed under keyboards or in the back of desk drawers?

Some analysts estimate that more than a million passwords have already been stolen. It is often surprisingly easy to guess or steal passwords. Hackers can launch a dictionary attack by comparing your password with every word in a dictionary, foreign as well as English in a matter of minutes. Or they can use "sniffers," programs that read every keystroke sent out from a machine, including passwords. But, as demonstrated by the questions above, a great deal of the responsibility for stolen passwords falls on users themselves. In addition to the old sticky note left on the computer screen, users willingly share passwords, send them via email or choose ones that are too predictable and easy to guess.

Why is this important?

When someone guesses or steals a password, they can conceivably access files, email messages, funds and personal information. This access may allow them to change or destroy files or send email threats in someone else's name. And this chaos can extend beyond one account to affect others. Once intruders gain access into a system, they can monitor other machines and systems on the same network and even monitor the remote systems to which the local users connect. For example, this access may allow an unwanted intruder to gain access to confidential student or University financial information.

What can you do to help?

Well, to start with, don't leave that password lying around. Passwords, like the keys to your front door, provide security only if handled properly. Network and systems administrators can enhance security through the use of advanced security features (such as firewalls, encryption and authentication), but ultimate responsibility comes back to you, the end user.

What to include in your password:

  • Make your password easy for you to remember, but hard to guess. Use at least seven characters.
  • Use punctuation marks or symbols within your password. Do not use a blank space!
  • Always mix upper- and lowercase letters.
  • Select a unique password, not one that you are using for some other purpose.

What not to do:
  • Don't write down your password! That being said, if you find you must write it down, conceal it in some unrelated characters or in some kind of coding system.
  • Don't send your password via email. Email is not secure. (Keys in the mail? Never!)
  • Don't store your password in a file.
  • Don't use dictionary or foreign words, names, doubled names or first/last names and initials.
  • Stay away from simple transformations of words (e.g., 7eleven, seven11, etc.) or any alphabet or keyboard sequence (backwards or forwards).
  • Don't even consider short words, single characters, phone numbers, birth dates or numbers substituted for letters (like a zero instead of the letter O).
  • Be wary of programs unnecessarily requiring your password. Once you are logged in to a given computer system, it should not need to know your password again.

And remember to change your password if:
  • You have had the same one for more than six months.
  • You have told it to anyone (even Mom) or have written it down anywhere.
  • You have logged onto a system from another city or campus.
  • You are notified that it does not meet current standards.

Strategies for choosing a good password

The following are only suggestions for developing a secure password. Please, please do not use these examples! Including them in this document compromises their security.

  • Lines from a favorite childhood verse.
       Example: London Bridge Is Falling Down
       Password: LBif%Down

  • Expressions about a favorite geographical area.
       Example: I left my heart in San Francisco
       Password: iLmHiS#F
       Example: Sunny California
       Password: suNIc*al!

  • Foods liked or disliked as a child.
       Example: Fish on Fridays
       Password: FoFda!
       Example: Chocolate Pudding
       Password: cHO%dinG

You can also substitute antonyms or synonyms for your chosen words or interweave letters and characters from successive words.

Ultimately, any password you choose has to be known to you and you alone and must conform to local procedures for constructing passwords.

For further information on this and other security issues, visit the Web at http://dcas.ucdavis.edu/security. And remember, dump those sticky notes!

Lanette Olsen is a technical writer. Doreen Meyer, from IT's Distributed Computing Analysis Support (DCAS), contributed to this article.