Guidelines for the Selection of Secure Passwords

Instructions for changing your passwords on:

• Unix Systems
• PCs/Novell

General Guidelines for Passwords

Your password is the only means the computer system uses to verify your identity. As such, it is the only measure protecting your account, processes, and files on the Physics Department machines. Further, if an intruder gains access to your account, they can then compromise the security of the entire cluster. Once an intruder has access to just one account on our system, they may be able to use that foothold to break other accounts on the system, gain read and/or write access to the files of other users, compromise the security of the entire cluster, impair the operation of the entire cluster, and attack the systems, staff, and reputation of the Physics Department and the entire University of Maryland.

In order to enjoy the privilege of continued use of the various Physics Department computing resources, you are responsible to maintain the security of your password and not to otherwise compromise cluster security. Among other things, this means:

1. Do not give your password to anyone else. Your account is for your personal use ONLY. If someone does not have an account but you feel should be allowed to use the departmental computing resources, send the person to Computing Services to open their own account. Do not give your password to systems staff either --- authorized computing staff people do not need your password for any legitimate purposes.

2. Do not keep written copies of your password, especially by your computer or terminal or in a file on the computer.

3. Change your password promptly whenever system staff tell you to do so. You should also change your password periodically.

4. Choose a secure password. Some guidelines for selecting secure passwords are included below.

Guidelines for Selecting Secure Passwords

For our examples, we will consider an user named John Bigboote from New Jersey with a brother George and whose favorite movie is Buckaroo Banzai. His username is bigboote.

DON'Ts

1. Your password should not be the same as your username, nor should it contain your username or simple permutations of it. E.g., John should not use any of the following for passwords: bigboote, BigBoote, bootebig, etc.

2. Your password should not contain any personal data or simple permutations thereof. By personal data, I mean anything which someone might associate with you. Some examples are:
   1. names or nicknames of yourself, family members, pets, or friends.

   2. social security numbers, phone numbers, birthdates, license plate numbers.

   3. Any name, number or place associated with the university or physics department or any other institutions you belong to.

   4. Any names, terms, numbers associated with your research specialty.

   Note that the above list is not exhaustive. Basically, you do not want any word or number which can be associated with you. So in our example, John should avoid the following passwords also: john, george, George, jersey, etc.

3. Your password should not contain correctly spelled English words. Words in foreign languages are better, but still somewhat dangerous, particularly if the language used can be guessed (eg your native tongue).

4. Your password should not contain names of famous people, places, things, fictional characters, movies, TV shows, songs, etc. So John should not use buckaroo, banzai, startrek, kirk, etc, as passwords.

5. Do not use any example passwords given here or elsewhere for your password, (even the ones that are listed as good).

DO's

Although passwords taken from items 3 and 4 above are not good passwords as they are, there are some tricks which can be applied to words to make them more suitable as passwords, as is discussed below. These tricks are also useful for making good passwords better.

A technique some people find useful for generating good passwords is to take the first letter of a phrase to use for their password. So John could use abbaed (from The _A_dventures of _B_uckaroo _B_anzai _A_cross the _E_ighth _D_imension) as a password (except for the fact that as an example it violates item 5 above).

Applying the following techniques can make a bad password reasonable, and a good password better, without making them much harder to remember. Applying two or three of these techniques to a good password can make it almost uncrackable.

1. Embed extra characters in the word. Symbols and control characters are especially good. Digits are good, too. So John might try: abb@8d instead of abbaed, or buck@r0o, or ba%nz!ai.

2. Misspell words, e.g. buckarew or bonzaye.

3. Use unusual capitalization. All lowercase, or all capitals, or capitilizing first letter of words (or all but 1st letters) are somewhat common; randomly capitilizing a letter or two is better. So John might want to use bUCkarOo or baNzaI.

4. Concatenate two or more words or parts of words.

5. Embed one word in the middle of another, or interleave the letters of two words, eg stkirkar (kirk in star) or sktiarrk (star and kirk).

Links to Other Pages on Passwords and Password Selection

Note: these links are not for sites affiliated with the Department of Physics of the University of Maryland and have been included for your information only:

• Security Awareness and Secure Passwords page from Michigan State University's Animal Health Diagnostics Lab.

• Secure Passwords from University of British Columbia.

• Digicrime's Password Generation Service (Just to add some humor to a serious subject. For the benefit of the humor-impaired, DO NOT USE THE GENERATED PASSWORD.)

Physics Home | PNCE Info | UNIX Info | PC Info | System Info | POWL Firstaider | E-Mail This page is maintained by the Physics Web Managers: For Content Questions contact the WebEditor. For Technical Questions contact the WebTech.

---