User Documentation:Tips on Creating Your Password

From SASDocs

Contents 1 Tips on Creating Passwords 1.1 How hard is it for a hacker to guess a bad password? 1.2 Why is a good password so important? 1.3 What is a “good” password? 1.4 What is a “bad” password? 1.5 How often should passwords be changed? 1.6 Things you might want to AVOID when choosing a new password are: 1.7 Things that you might want to DO to ensure a secure password selection include: 1.8 Some good password maintenance habits are: 2 How to change your password (XP): 3 How to change your password (Unix):

[edit] Tips on Creating Passwords

[edit] How hard is it for a hacker to guess a bad password?

In the past, cracking passwords or finding other holes to get into a computer system required a significant time investment on the part of a hacker. Dictionary attacks (a method that just throws words, and variations of dictionary words at a password) took days to weeks to complete even on a small number of passwords. Due to the increase in the speed of modern computers there are now personal computers that can do the job in hours. There has also been a significant increase in the number of tools available to a hacker. It is no longer a realm limited to only the dedicated hacker. Most tools are readily available off from the Web, and require little to no knowledge to use.

[edit] Why is a good password so important?

A good password is important both to protect your own documents and to protect other accounts on the computers that you log in to. Even if you feel that you personally do not have any files that a hacker might be interested in, once that they are in through your account there is a greater chance that they will find some way to access other accounts.

[edit] What is a “good” password?

A “good” password is one that can not be guessed by others or easily determined by computer dictionary attacks. It should be AT LEAST six characters long, and probably more. (Some systems, such as our UNIX systems and Macintosh systems, use eight characters as the maximum. Windows NT uses fourteen.) Using longer passwords, mixed-case, digits, and punctuation is highly recommended if the system permits it.

[edit] What is a “bad” password?

A “bad” password is one that can be guessed by others. For example, names of people, a favorite color or location, a phone number, a random word from any domestic or foreign dictionary, etc., would all be considered insecure and therefore bad to use.

[edit] How often should passwords be changed?

Frequently - changing passwords at least once a month is recommended.

[edit] Things you might want to AVOID when choosing a new password are:

• Your Social Security Number or Student ID number. This is one of the worst passwords you can have. This number has commonly been used as default passwords on campus and is often easy to find out with some investigation.
• Using your username as your password. This is one of the first passwords that anybody would ever try go guess.
• Using a password derived from your name, your department, affiliations, or other personal information. These can be easily guessed.
• Using words found in dictionaries. This is where automated password crackers usually get many of their guesses! Even obscure words can be unsuitable for proper security.
• Using foreign words. Most password cracking dictionaries are multi-lingual.
• Using simple keyboard patterns like '12345678', 'Oooooo', or 'qwerty'. Not only are these easy to guess, but they're easy to determine just by watching you type it in.
• Repeating a simple word as a password. Passwords like 'FredFred' are checked for by automated password crackers.
• Using words, which may be contained in any of your files. Many automated password crackers will look through your files if it is able to do so, and try to use any words contained in them as 'guesses'.
• Using common proper nouns such as 'ibm', or 'xerox'.
• Any variations of the above such as spelling backwards, appending a character or digit to the end or your username, just capitalizing a few characters of one of the above, or any other minor variations. Password cracking programs are very sophisticated at trying variations of words or simple patterns.

[edit] Things that you might want to DO to ensure a secure password selection include:

• Use nonsense words that aren't found in a dictionary.
• Ensure your password is at least eight characters long (though you could probably settle with six if the maximum length for your system is eight).
• Use uppercase characters (capitals) mixed in with lowercase. Putting capitals in random locations throughout the word is more effective than just capitalizing the first or last character.
• Use a combination of alphabetic and numeric characters.
• Include punctuation characters.
• One effective method of choosing a password that is well chosen and easy to remember is to think of a simple phrase and use the first letter of each word in combination with numbers or punctuation.

 Example: “It is raining cats and dogs.” could be used as a mnemonic for “IirC&D.”. 
(Notice all nouns are capitalized for ease in remembering which letters are uppercase.)

 Example: “I would like $1,000,000 too!” could be used as a mnemonic for “Iwl$1M2!”

• Another effective method of choosing a password (though not as good as the previous one) is to choose two words randomly, and then join them with a random character, and if there's enough room left, add another random character to the beginning or end.

 Example: “=cat&dog” is the joining of “cat” and “dog” with a couple of punctuation characters.

 Example: “walk#run” is the joining of “walk” and “run” with a punctuation character.

 Example: “App&Oran” is the joining of abbreviations for “Apples” and “Oranges” which will defeat most dictionary attacks.

• The best way to secure your account, if your OS permits it, is to use a passphrase. A passphrase is a full sentence with punctuation and spacing which will defeat 99.9% of password crackers and are generally easier to remember. We recommend our users use this method as Windows XP does support this.

[edit] Some good password maintenance habits are:

• Change your password regularly. (Once per academic quarter is good. Once per month is better.)
• Never share your password or your account with anybody. If someone else needs an account to work, they can obtain their own.
• Never give your password to anybody. Nobody needs to know what your password is -- not even computer support personnel.
• Change your password immediately if anybody finds out what it is.
• Don't write down your password where others can see it.

[edit] How to change your password (XP):

1. Press CTRL-ALT-DEL
2. Click “Change Password…”
3. Enter current passwd
4. Enter NEW passwd
5. Confirm NEW passwd
6. Click “Ok”

[edit] How to change your password (Unix):

From XP:

• Click on the START button
• Click on “SSH” (Putty) near the top of the file list. If SSH isn't there, look for it under "Programs"
• Under Host Name(or IP address) type wiley.sas.it.mtu.edu
• Hit the "Open" button on the bottom of the screen
• After "login as:" type your username and hit enter
• Type your password
• At the prompt, type passwd
• Type your current password
• Type your NEW password
• Verify your NEW passwd
• Type logout to exit

From MacOS:

• ssh to login.admin.mtu.edu

    ssh login.admin.mtu.edu

• Type your userid
• Type your current passwd
• At the prompt, type “passwd”
• Type your current passwd
• Type your NEW passwd
• Verify your NEW passwd
• Type “logout” to exit