Note:to facilitate faster loading of EdCert documents, this page was borrowed from another source.

The Care and Feeding of Passwords

Roger Murray

The Importance of Good Passwords

Until computers are able to recognize people on sight, the primary method of identifying oneself to a computer will remain the password. A password operates much like a key or combination. It is a means of authenticating to the computer that you are who you claim to be.

Unfortunately, passwords can be as easily compromised as keys and combinations if one is not careful. In the past, password guessing wasn't much fun. The standard UNIX encryption scheme took a relatively long time to compute, so all but the most simple or obvious passwords were safe. In the age of supercomputers and optimized encryption algorithms, this is no longer the case. Encrypting a 25,000-word dictionary is not only common, but it represents just the first step. This is why it is more important than ever to use passwords which cannot be guessed.

Choosing Passwords

Adhering to the following guidelines will not guarantee you absolute safety, but will make it more difficult for your password to be compromised.

Bad Passwords

Do not use the following as passwords:

Names
- your account name
- your real name (first or last)
- names of spouses, children, friends, pets, etc.
Personal information
- your birthday
- your phone number
- your address
- your license plate number
- any of the above belonging to spouses, children, friends, pets, etc.
Word and Phrases
- dictionary words from any dictionary
- two words put together with nothing in between, particularly if they form a dictionary word ("bag" + "pipe" = "bagpipe")
- words or phrases with vowels, spaces or punctuation removed ("ettubrute")
Patterns
- repeated characters ("aaabbbccc")
- keyboard or alphebetic sequences ("qwerty", "abcdef")
- acronyms (CIT acronyms especially)

Do not use them even if they are:

backwards
repeated
capitalized
prefixed or affixed by a single digit or punctuation mark ("yikes!", "4myself")
the result of substitution by characters of similar appearance ("$ch001", "g33k", "b1gmac")

Good Passwords

Good passwords generally have the following qualities:

They are between 6 and 8 characters in length. UNIX ignores anything past the eighth character, so "supercalifragilisticexpialidocious" and "supercal" are the same as far as UNIX is concerned.
They are a mixture of lower and upper case characters, digits and punctuation marks. Certain punctuation marks should be avoided. The colon (:) is known to cause problems on Suns while the pound sign (#) and at sign (@) are known to cause trouble on other types of UNIX systems.

Misconceptions About Passwords

"I'm not the super user. My password can't be that important."

As with so many other things, it only takes one. Guessing your password is the proverbial foot in the door. It opens the system up to even more stolen accounts.

"Nobody knows what ``axolotl'' means. They'd never guess that."

ax-o-lotl \'ak-se-,la^:t-)el\ n [Nahuatl, lit., water doll] (ca. 1768) :any of several salamanders (genus Ambystoma) of mountain lakes of Mexico and the western U.S. that ordinarily live and breed without metamorphosing
And if I know it, so does somebody else. Exotic words are still words.

"I'll use a word from a foreign language."

Electronic dictionaries exist for: Chinese, Croatian, Danish, Dutch, English, Finnish, French, German, Hindi, Hungarian, Japanese, Italian, Latin, Norwegian, Polish, Russian, Spanish, Swahili, Swedish, Yiddish. More are being created every day.

Changing Your Password

The passwd command will change your password. It first prompts for your old password and then for your new password, neither of which will be visible as you type. It then will prompt you a second time for the new password to make sure that you've entered it correctly. If both new passwords match, it will proceed with the change. CCO uses a passwd program that will not allow users to choose passwords which are too short or don't have enough variety of characters.

Guarding Your Password

Now that you have chosen the best password in the world, don't give it away!

If you must write it down, apply an algorithm to it so that somebody else reading it won't be able to use it directly, i.e. if it's "J472cEeA", write "J250cEeA" (subtract 2 from each digit).
Don't tell it to anyone, even if they claim to be a system administrator. Under no circumstances does a sysadmin need your password. If you receive mail from a system administrator asking you to change your password to something specific, don't. We might ask you to change it to something else, but we will never tell you what to change it to.