Safe Computing

Overview

Passwords are the key to many systems and applications. Your password helps to prove who you are, and to ensure your privacy and help protect the privacy of data you may have access to.

Compromised passwords are one of the means by which unauthorized people gain access to a system. Someone logging on under your name has access not only to your computer files, but also can get access to your co-workers files through your file server, and can impersonate you to send malicious e-mail.

Many times you are requested to choose and maintain a password for various purposes (e.g., sign on to a file server, access your e-mail, use a password protected screen saver). At the Hamline University, there are two widely used passwords, the Internet and Enterprise. These passwords allow access to important central (e.g., GroupWise, Netmail, Netstorage, Blackboard) or Enterprise systems (e.g., Banner, Piperline) at the University.

It's important to choose a good password and protect it, since there are many password-cracking programs readily available on the Internet and passwords are the key to access many computer systems or applications. Each system or application may have different password restrictions or requirements.

General Guidelines for Choosing a Password

Do Choose:

• Something obscure. For instance, you might deliberately misspell a term or use an odd character in an otherwise familiar term (e.g., pHnEbon). Or use a combination of two unrelated words and a combination of letters and numbers (e.g., MutT37Yu)
  
• A combination of letters and numbers, or a phrase like "many colors" and then use only the consonants, "mnYc0l0Rz".
  
• The first letter from each word or phrase (e.g., TaYrrTooT, represents a line in the song "Tie a Yellow Ribbon Round That Old Oak Tree")
  
• To alternate between one consonant and one or two vowels, to create nonsense word. This provides nonsense words that are usually pronounceable, and thus, easily remembered. (e.g., rouTBoo or QuaDPop).
  
• A combination of letters, numbers and special characters in a word (wR1t#rS, represents writers)

Other Tips

• Use a MINIMUM of 7 or more characters (system permitting). This is absolutely critical in Windows desktop operating systems due to the way the encrypted passwords are stored by the system.
  
• Use mixed case wherever possible. Use uppercase on more than the first letter.
  
• Include at least two digits or special characters (#, >, $).

The idea is to make it harder for the automated password cracking programs to figure out the password. Short passwords (those less than 7 characters) can now be brute forced (cracked) in less than 1 hour.

These examples should NOT be used as they are now widely published!

Don't Choose:

• Simple words that are easy to remember, such as common or famous names of people or places.
  
• Words that can be easily associated with you, such as your birth date, your name, spouse or child's name, pet's name, street.
  
• Hello, password, welcome, etc.
  
• Common words from English, foreign language or technical dictionaries
  
• Keyboard patterns (e.g., qwerty) or duplicate characters (e.g., aabbccdd).
  
• A new password by simply changing one character in your existing password. (E.g., Kathy5)
  
• The same password on important and trivial systems (e.g., production and test systems).

Additional Information on Passwords

Change your passwords:

• Somewhere between 90-180 days depending on the criticality of the system.
  
• If your password has been compromised or you suspect it's been compromised.

Safeguard your password:

• If you need to write it down, keep it in a secure location (e.g., in your wallet or in a locked file). Or write down hints, not the password. Do not leave on or in your desk.
  
• Do not disclose your password to others, including system administrators. If you do share it, make sure you change it immediately.
  
• Never store a password in an electronic file or use the "save my password" feature of popular Internet browsers for important passwords.
  
• Never send a password by email, unless encrypted.
  
• When vacating your workstation, completely log off the system or otherwise secure the terminal from unauthorized use.
  
• When vacating a public computer (Kiosk or public lab), completely log out and quit the application before you leave.

Ways to develop stronger passwords:

• Use more characters (up to 14 for Windows).
  
• Use a combination of the guidelines for how to establish a good password.
  
• Run password through one of the common password cracking programs.
  
• Change password more frequently.
  
• Avoid using the same password on multiple systems, especially test and production systems.

Some General Guidelines for Server Administrators

• Change vendor and administrative defaults.
  
• Delete old accounts.
  
• Set the maximum number of invalid attempts (e.g., 3-5).
  
• Set reset interval after number of invalid attempts (e.g., 30 minutes).
  
• Set number of used password iterations (e.g., can't use the last 3).
  
• Use special characters in administrative passwords.

Other Links:

• SecurityFocus - Ten Windows Password Myths
  
• National Institute of Health (NIH) Password & E-mail Tips
  
• Australian SERT - Guidelines for Developing a Sensible Password Policy to Australian SERT
  
• View a list of common default account passwords. A good tool for self-assessment and screening.

Call the ITS Helpdesk at 651-523-2220 for assistance with resetting your passwords or to report password problems.

 

Need more help? Please contact the Help Desk by email or by phone at 651-523.2220