Password Security
- Why Should I Care about Password Security?
- How Are Passwords Stolen?
- What Are the Guidelines for Choosing a Password?
- Password Strategies to avoid?
- Strategies for Choosing a good Password?
- How can I keep my password safe?
- How Often Should I Change My Password?
- How-to change your password and set up self-service password reset »
Why Should I Care about Password Security?
Your passwords are the keys you use to access personal information that you've stored
on your computer and in your online accounts. If criminals or other malicious users
steal this information, they can use your name to open new credit card accounts, apply
for a mortgage, or pose as you in online transactions. In many cases you would not
notice these attacks until it was too late. Fortunately, it is not hard to create
strong passwords and keep them well protected.
Your computer account name and password may gives you access to a variety of computing
services on SHU networks depending on the capabilities of the individual computer
or systems you're using.
Every time you connect to a system or application, you must prove you are who you
say you are. If someone else guesses or steals your password, he or she can access
all of the information tied to that password. This could include access to your files,
your e-mail, your funds, your personal information such as student records, payroll
and more, depending on what the password was supposed to protect. For example, having
the password to your online bank account may allow someone to bill items to your credit
card, transfer money from your account, etc. In short, an insecure password can easily
wreak havoc in your life if you become a victim of Identity Theft.
You will not be the only person affected by a stolen password. Other users on networks
on the Internet could potentially be affected as well. Once an intruder with the necessary
knowledge, experience, and tools gains entry to a system, he or she may be able to
access and control other machines and systems on the same network and capture information
about local users logging on to those machines. If these users then connect to other
networks, the intruder has the potential to penetrate and control the remote systems
to which the local users connect, thereby increasing the likelihood of a breach in
the security of those systems as well.
Unfortunately, it does not take a skilled intruder to control a machine on which he
or she has an account. Many of the tools required to gain control over a machine can
be downloaded from the Internet and used with little or no knowledge of how they work.
These so called, "Script Kiddies" may not have the knowledge necessary to break into
a computer without help, but because of the availability of hacking tools and the
large number of them, they can cause a great deal of trouble.
How Are Passwords Stolen?
Security experts at Carnegie Mellon University estimate that more than a million passwords
have already been stolen on the Internet. One has to ask why this happens so frequently.
Part of the answer is that hackers have many tools, such as dictionary programs and
sniffers, to assist them.
A hacker will launch a dictionary attack by passing every word in a dictionary (which
can contain foreign languages as well as the entire English language) to a login program
in the hope that it will eventually match the correct password. The programs which
perform dictionary attacks are often capable of trying simple permutations on dictionary
words as well (such as trying them backwards).
A network sniffer installed on a computer can read every piece of data sent out from
your machine across the network, including passwords. The ease with which a sniffer
can find your password ensures that it is one of the first programs a hacker will
run on a machine he or she has broken into.
A large responsibility -- and, perhaps, a large portion of the blame -- falls on the
users themselves. They willingly share their passwords. More important, users are
too predictable in their choice of passwords. Left to their own devices, users often
choose a password that is too short or too easy to guess.
Passwords are about identity. We tend to reveal ourselves in our passwords. We often
choose the name or birth date of a loved one; we use our address, telephone number,
or Social Security number; we use the name of a favorite artist, actor, or author.
Or we are wise enough to avoid any personal references but choose a word that is ridiculously
short, a dictionary word, a name or word spelled backward, or an alphabet or keyboard
sequence. Just because we think a foreign word is obscure doesn't mean that it isn't
in a dictionary somewhere. The point is that all of these types of words are easily
guessed, which makes the job of password cracking straightforward.
What Are the Guidelines for Choosing a Password?
Some systems have programs that check the password strength and can disallow a poor choice, but not all systems at SHU have this capability. To avoid problems, follow these basic guidelines when choosing your password:
- Use at least 14 characters; the more characters, the better (as long as you can remember them). A 14-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard. If you cannot create a password that contains symbols, you need to make it considerably longer to get the same degree of protection. An ideal password combines both length and different types of symbols.
- Make your password easy for you to remember but hard for someone else to guess. Picking letters from a phrase that's meaningful to you may be the source for a good password. In this way, your password is really a "pass phrase." ("Do you know the way to San Jose?" could be D!Y!KtwTSJ?)
- Intersperse punctuation marks or symbols such as #, $, %, etc. Do not use a blank space.
- Always use a mixture of upper- and lower-case characters.
The table below demonstrates how much harder it gets to guess a completely random password based on its length.
Password Length | Number of Passwords (Upper/Lower Case, Numbers and Punctuation) | Time to Try All Combinations (1,000,000 trys/second) |
1 | 94 | 94 us |
2 | 8,836 | 8.83 ms |
3 | 830,584 | 0.83058 sec |
4 | 78,074,896 | 78.0749 sec |
5 | 7,339,040,224 | 2.0386 hours |
6 | 689,869,781,056 | 7.9846 days |
7 | 64,847,759,419,264 | 2.05 years |
8 | 6,095,689,385,410,816 | 193.16 years |
Password strategies to avoid
Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:
- Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not help make secure passwords.
- Avoid simple transformation of words and phone numbers ( tiny8, 7eleven, dude!).
- Avoid your login name. Any part of your name, login, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.
- Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.
What Are Some Strategies for Choosing a Good Password?
Use lines from a childhood verse:
Verse Line: Yankee Doodle went to town
Password: YDwto#t0wn
Use lines from a favorite song:
Lyric: How Much is that Doggie in the Window?
Password: H$itditw1?
City Expression:
Chicago is my kind of town too
Password: CimYK0t2!
Expression:
Two Swiss Tourists went to see NYC
Password: 2StwtcNyc!
Foods disliked during childhood:
Food: rice and raisin pudding
Password: ric&raiPudng
Note: Obviously, you shouldn't use any of the passwords used as examples in this document. Treat these examples as guidelines only.
Keep your passwords secret
Treat your passwords and pass phrases with as much care as the information that they protect.
- Don't reveal them to others. Keep your passwords hidden from individuals who could pass them on to other less trustworthy people. Passwords that you need to share with others, such as the password to your online banking account that you might share with your spouse, are the only exceptions.
- Protect any recorded passwords. Be careful where you store the passwords that you record or write down. Do not leave these records of your passwords anywhere that you would not leave the information that they protect.
- Never provide your password over e-mail or based on an e-mail request. Any e-mail that requests your password or requests that you to go to a Web site to verify your password is almost certainly a fraud. This includes requests from a trusted company or individual
- Change your passwords regularly. This can help keep criminals and other malicious users unaware. The strength of your password will help keep it good for a longer time.
- Do not type passwords on computers that you do not control. Computers such as those in Internet cafés, non-SHU computer labs or kiosk systems, shared systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Avoid using these computers to check online e-mail, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet-your passwords and pass phrases are worth as much as the information that they protect.
How often should I change my password?
To protect confidential information, the Department of Information Technology has implemented the following password expiration rules:
- Student passwords will expire 330 days after the last password change;
- Faculty passwords will expire 330 days after the last password change;
- Employee, vendor and contractor passwords will expire 330 days after the last password change.
-
University employees who process credit cards are required to change their passwords every 30 days, in accordance with the Payment Card Industry Data Security Standard (PCI DSS).