|
Tips for Choosing a Password
Overview
Passwords are the key to many systems and applications. Your password helps to prove who you are, and to ensure your privacy and help protect the privacy of data you may have access to.
Compromised passwords are one of the means by which unauthorized people gain access to a system. Someone logging on under your name has access not only to your computer files, but also can get access to your co-workers files through your file server, and can impersonate you to send malicious e-mail.
Many times you are requested to choose and maintain a password for various purposes (e.g. sign on to a file server, access your e-mail, use a password protected screen saver). At the University of Minnesota , there are two widely used passwords, the Internet and Enterprise . These passwords allow access to important central (e.g. central e-mail, WebCT, Tech Mart, some department web pages) or Enterprise systems (e.g. PeopleSoft , Financial FormsNirvana, Electronic Grants Management System, Enterprise Document Management System) at the University.
It's important to choose a good password and protect it, since there are many password-cracking programs readily available on the Internet and passwords are the key to access many computer systems or applications. Each system or application may have different password restrictions or requirements.
General Guidelines for Choosing a Password
Do Choose:
- Something obscure. For instance, you might deliberately misspell a term or use an odd character in an otherwise familiar term (e.g. pHnEbon). Or use a combination of two unrelated words and a combination of letters and numbers (e.g. MutT37Yu)
- A combination of letters and numbers, or a phrase like "many colors" and then use only the consonants, "mnYc0l0Rz".
- The first letter from each word or phrase (e.g. TaYrrTooT, represents a line in the song "Tie a Yellow Ribbon Round That Old Oak Tree")
- Long uncommon phrase (e.g. The quick brown fox kicked the box)
- To alternate between one consonant and one or two vowels, to create nonsense word. This provides nonsense words that are usually pronounceable, and thus, easily remembered. (e.g. rouTBoo or QuaDPop).
- A combination of letters, numbers and special characters in a word (wR1t#rS, represents writers)
(Note: U of M Internet passwords must be 6-125 characters, with a mix of numbers and letters. U of M Enterprise passwords must be 8-128 characters, with a mix of numbers and letters.
Other Tips
- Use a MINIMUM of 8 or more characters (system permitting).
- Use mixed case wherever possible. Use uppercase on more than the first letter.
- Include at least two digits or special characters (#, >, $).
The idea is to make it harder for the automated password cracking programs to figure out the password.
? These examples should NOT be used as they are now published widely! **
Don't Choose:
- Simple words that are easy to remember, such as common or famous names of people or places.
- Words that can be easily associated with you, such as your birth date, your name, spouse or child's name, pet's name, street.
- Hello, password, welcome, etc.
- Common words from English, foreign language or technical dictionaries
- Keyboard patterns (e.g., qwerty) or duplicate characters (e.g. aabbccdd).
- A new password by simply changing one character in your existing password. (E.g. Kathy5)
- The same password on important and trivial systems (e.g. production and test systems).
Additional Information on Passwords
Change your passwords:
- Somewhere between 90-360 days depending on the criticality of the system.
- If your password has been compromised or you suspect it's been compromised.
Safeguard your password:
- If you need to write it down, keep it in a secure location (e.g., in your wallet or in a locked file). Or write down hints, not the password. Do not leave on or in your desk.
- Do not disclose your password to others, including system administrators. If you do share it, make sure you change it immediately.
- Never store a password in an electronic file or use the "save my password" feature for important passwords.
- Never send a password by email, unless encrypted.
- When vacating your workstation, completely log off the system or otherwise secure the terminal from unauthorized use.
- When vacating a public computer (Kiosk or public lab), completely log out and quit the application before you leave.
- If you terminate your University employment or change departments, contact your Technical Coordinator to let them know that access is no longer needed.
Ways to develop stronger passwords:
- Use more characters (up to 14 for Windows).
- Use a combination of the guidelines for how to establish a good password.
- Run password through one of the common password cracking programs.
- Change password more frequently.
- Avoid using the same password on multiple systems, especially test and production systems.
Some General Guidelines for Server Administrators
- Change vendor and administrative defaults.
- Delete old accounts.
- Set the maximum number of invalid attempts (e.g. 3-5).
- Set reset interval after number of invalid attempts (e.g. 30 minutes).
- Set number of used password iterations(e.g. can't use the last 5)
- Use special characters in administrative passwords (e.g. #, >, $).
|
|
