Selecting a Password

Do not choose any of your password hastily. Choosing a poor password can result in your account being accessed by someone else and/or deactivated by CCIT staff.

You may think that there is nothing valuable in your accounts or it may seem that you don't have anything to lose if your accounts are hacked, but neither of these are true. If others can gain access to your account, either because you give them the password or your password is blank or easily cracked your name and credentials can be used to:

  • Launch a cyber-attack on other computers systems around the world
     
  • Illegally store and distribute copyrighted materials
     
  • Illegally store and distribute various types of pornography, including child pornography
     
  • Send insulting or libelous email
     
  • Send hate mail from your account
     

People who break into your account are likely trying to steal your identity. You can lose your good name and reputation. You might be liable for crimes committed using your account credentials. Imagine how difficult it would be if obscene, racist or threatening email was sent from your account, with your name attached, to your friends, family, peers, strangers and world-wide news groups; it could be as difficult to overcome and correct as a public scandal!  CCIT offers the following adive on passwords.

Bad Password Categories

Any word, in any dictionary, in any language Any formal name or nickname, including your spouse's, child's, or pet's
Fictional terms The name of any author, composer, musician, band, or actor
Movie, book or composition titles Any special number or all numerals: 12345678   99999999  or  911911911
Acronyms Combination's of letters or patterns on the keyboard: qwerty
Phrases like yougogirl or can'touchthis Great license plates you have seen: one2nv, upupnoa, ibuy4u
Fable titles, legendary characters or races, mythological places Neat word/letter combination's: aTdHvAaNnKcSe (THANKS in advance)
Anything you can imagine being collected into a list Passwords that are all one case: sureischarming or DAVIDISFUNNY
  Any place name, whether city, county, country, crossroads, forest, or place of natural beauty; real or fictional
Any word spelled backwards: special -> laiceps Appending or prefixing digits to a word: apple639 or 123apple
Substituting numbers for vowel: richard -> r1ch2rd Appending or prefixing special characters to a word: apple@ or $klingon
Common number substitutions for letters: move -> mov3 Changing all, or just the vowels of a word, to numbers or special characters: banana -> bAnAnA  b1n2n3 or b*nana
Your user name Your user index/number (for Unix, the UID and GID)
User name owner information (for Unix the gecos field) which commonly contains your name Personal details that can be derived from this information or your initials
 Your social security number  Your license plate number
 Your CWID or EKey  Your street address or the address where you were born
 Your pasport number  The serial number from your cell phone, camera, computer or stero
 Your phone number, your parent's phone number, your (or your wife's) maiden name, your mother's maiden name
  1. Passwords should never be:
  2. Passwords should never be a simple algorithm applied against something in #1, above:
     
  3. Passwords should not contain information that can be gathered by knowing your name or user name. This category is really an addition to "A" above, but is dynamic depending upon your own personal information.
  4. Passwords should not  be written down or kept on unecypted media.
     
  5. Passwords should nott contain personal information that can be gathered if you are specifically targeted:
     

This may seem to be just about everything, right? A good password needs to be something that is not derivable in a semi-automatic manner. The above categories A-C represent known information, or easily derived information, that can be exhaustively applied by a hacker to break your password. Category D represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem to be a very remote possibility, if you are ever personally targeted, it is potentially much more damaging.

Three final items:

  • Make sure you know how many characters the system allows for a password: a good 14 character password may become a terrible password if the system only uses the first 8 characters. The maximum number of characters for a password on the Slate cluster is 8. Passwords on the Computing Center PC network should be 8 to 14 characters.
     
  • Make sure you know which characters are un/acceptable by the system. Known unacceptable characters in Windows are:" / \ : ; | = , + * ? < >
     
  • Look at your password selection to make sure it doesn't duplicate a bad password: a (usually) good personal password generation algorithm can generate a bad password; the good and the bad may be the result of orthogonal approaches intersecting with a bad password. For example, a potentially good password, xr3pall, would be bad if your name was Xavier Richard Pall, III.

Methods for generating good passwords;

  1. If the maximum password length is long enough, you can use two unrelated words together, perhaps separated by some punctuation or numbers.
     
  2. Use the first letters of words in a memorable phrase. The phrase "Mary had a little lamb" produces the password Mhall. Obviously, memorable is good but traditional or classical is risky. Make up your own phrase...
    "I got a speeding ticket on 6th Avenue" generates: igasto6a
    "He ate 9 hotdogs in 1 minute!" generates: ha9hi1m!
     
  3. Use grossly misspelled or mispronounced words with mixed cases. Be careful that you don't just substitute phonetic spellings.
    Examples: fumigate -> FooMiGayT migraine -> MuhGrayNee waterbuffalo -> witTerbifLow
     
  4. Tighten up a good password into a better password: use both upper and lower case characters, add punctuation and/or numbers, depending on what the system allows.
    Examples: igasto6a -> iGAsto6A or Igasto6A DAVIDISFUNNY -> daVIDb!Fu~~Y
     
  5. If you have a good memory, use eight or more, preferably the maximum allowed, random characters.

It is critical to "tighten up" passwords that are eight characters or less. Simple, short passwords are easily cracked (decoded). The number of characters that make up a "short" password keeps growing as computers get faster. (What is considered sufficient length for a password today will be short in the future.)

After you have created a good password, how do you improve the odds of remembering it? Use your new password immediately: change your password and then logout and log back in. After ten minutes (about the length of short-term memory) use your new password again: logout and back in. (Changing your password Friday afternoon just before leaving for the weekend can make the new password very difficult to remember). If you absolutely need to write down your password, make sure that anyone seeing it or finding it cannot determine what it is: make sure that it is unrecognizable and cannot be associated with your account/user name. This is the same principle that applies to the pin number for your credit/bank card - and it can be even more costly.

How often do you need to change your password? The effective half-life of your password depends on its exposure. Piano players can read your keystrokes if they can see your hands. Did you write down your password? If you had to write it down, the fact that it was necessary does not lower the resultant risk. Was it accidentally displayed on the screen? Did you login from the hospitality suite at the conference? Do you have a nagging feeling that you should change it? Is it a good, strong password? It is better to have a good password for months than a bad password for days. 

© 2017 Colorado School of Mines | | Equal Opportunity | Privacy Policy | Directories | Text Only | Mines.edu | rss

 
Last Updated: 08/04/2017 08:23:15