Guidelines for Selecting Good Passwords

Text Box: Mathematics Computing Group  

 

 

 

 

 

                                                                                                                                        June 2007

 

Your login/password pair is the primary user authentication mechanism used by both Linux and Windows. It's the only way that your computer can verify your identity, and as such should be made as resistant to compromise as possible.

 

All the Math & PIC computers are directly attached to the Internet (invented at UCLA, by the way), and the only thing that keeps the world out of them and your personal data is that you know your password, and they don't.  As such, it's extremely important that you select a strong password for all your computer accounts.  Recent advances in password cracking technology now allow the Bad Guys to crack weak passwords in less than 15 seconds (source: http://lasecwww.epfl.ch/~oechslin/publications/crypto03.pdf).

Here are some guidelines for generating strong passwords.

 

·          The longer your password, the better! UNIX passwords are limited to 8 characters, so you should always use all 8 of them. Windows passwords can be up to 14 characters in length; you should use at least 8 characters and preferably more on these platforms.

 

·          A password consisting of only lower case letters and/or numerals is not secure, and can be cracked easily.  You can make your password substantially stronger by mixing in some CAPITAL LETTERS and some punctuation.  

 

·          Never use dictionary words from any language as the whole or part of your password. Many malicious password guessing programs reference exhaustive dictionaries from dozens of languages. Note that even made-up languages (like Tolkien's Elvish or Esperanto) are vulnerable to this type of brute force attack.

 

·          Don't use personal information for any portion of your password, including your name, your mother's name, your pet's name, your license plate number, your Social Security number, your UCLA ID number, your phone number, your office number, your place of birth, your favorite baseball player, or your shoe size.  

 

·          Passwords which follow keyboard patterns (like “qwerty”) are weak choices. Not only do hackers know the common ones, but this class of passwords is vulnerable to “shoulder surfing”.

 

·          Many people think that changing the letter O to 0 (zero) or the letter l to 1 (one) makes a password secure. Don't believe it; hackers know all about this trick, and their cracking programs check for it.  The same goes for adding the year to a password (“jane2007”)  or a single number (“wombat9”).

 

·          You should absolutely not use the same password for all your authentication needs. If you have accounts on many machines, use different passwords on each. Many computer break-ins are traced back to a single compromised password which was used on multiple machines.

 

·          Resist the urge to use unsecured protocols over the Internet like telnet or non-secure mail.  Transmitting your password in the clear over the Net is probably the most common compromise vector.

 

·          If you have to write down your password, you should keep it secure. Don't put it on a Post-it note on your monitor, or write it on the blackboard. Keep it on a piece of paper, and either lock it up or carry it with you.

 

·          No matter how good your password is, you should still change it every 3-6 months. There are just too many ways that passwords can be exposed, and even the strongest password has a limited useful life. On Mathnet and PICnet you will receive a mail message if your password is too old.  Remember, passwords are like toothbrushes:  change them every few months, and never share them with others.

 

·          Never give anyone your password. They can get their own account!

 

If you’re having trouble thinking of a strong password, please consider using our random password generator:

 

http://www.math.ucla.edu/computing/user_support/policies/randompw.shtml