Why Should I Care about Password Security?
Your
passwords are the keys you use to access personal information that
you've stored on your computer and in your online accounts. If
criminals or other malicious users steal this information, they can use
your name to open new credit card accounts, apply for a mortgage, or
pose as you in online transactions. In many cases you would not notice
these attacks until it was too late. Fortunately, it is not hard to
create strong passwords and keep them well protected.
Your
computer account name and password may gives you access to a variety of
computing services on SHU networks depending on the capabilities of the
individual computer or systems you're using.
Every time you
connect to a system or application, you must prove you are who you say
you are. If someone else guesses or steals your password, he or she can
access all of the information tied to that password. This could include
access to your files, your e-mail, your funds, your personal
information such as student records, payroll and more, depending on
what the password was supposed to protect. For example, having the
password to your online bank account may allow someone to bill items to
your credit card, transfer money from your account, etc. In short, an
insecure password can easily wreak havoc in your life if you become a
victim of Identity Theft.
You will not be the only person
affected by a stolen password. Other users on networks on the Internet
could potentially be affected as well. Once an intruder with the
necessary knowledge, experience, and tools gains entry to a system, he
or she may be able to access and control other machines and systems on
the same network and capture information about local users logging on
to those machines. If these users then connect to other networks, the
intruder has the potential to penetrate and control the remote systems
to which the local users connect, thereby increasing the likelihood of
a breach in the security of those systems as well.
Unfortunately,
it does not take a skilled intruder to control a machine on which he or
she has an account. Many of the tools required to gain control over a
machine can be downloaded from the Internet and used with little or no
knowledge of how they work. These so called, "Script Kiddies" may not
have the knowledge necessary to break into a computer without help, but
because of the availability of hacking tools and the large number of
them, they can cause a great deal of trouble.
How Are Passwords Stolen?
Security
experts at Carnegie Mellon University estimate that more than a million
passwords have already been stolen on the Internet. One has to ask why
this happens so frequently. Part of the answer is that hackers have
many tools, such as dictionary programs and sniffers, to assist them.
A
hacker will launch a dictionary attack by passing every word in a
dictionary (which can contain foreign languages as well as the entire
English language) to a login program in the hope that it will
eventually match the correct password. The programs which perform
dictionary attacks are often capable of trying simple permutations on
dictionary words as well (such as trying them backwards).
A
network sniffer installed on a computer can read every piece of data
sent out from your machine across the network, including passwords. The
ease with which a sniffer can find your password ensures that it is one
of the first programs a hacker will run on a machine he or she has
broken into.
A large responsibility -- and, perhaps, a large
portion of the blame -- falls on the users themselves. They willingly
share their passwords. More important, users are too predictable in
their choice of passwords. Left to their own devices, users often
choose a password that is too short or too easy to guess.
Passwords
are about identity. We tend to reveal ourselves in our passwords. We
often choose the name or birth date of a loved one; we use our address,
telephone number, or Social Security number; we use the name of a
favorite artist, actor, or author. Or we are wise enough to avoid any
personal references but choose a word that is ridiculously short, a
dictionary word, a name or word spelled backward, or an alphabet or
keyboard sequence. Just because we think a foreign word is obscure
doesn't mean that it isn't in a dictionary somewhere. The point is that
all of these types of words are easily guessed, which makes the job of
password cracking straightforward.
What Are the Guidelines for Choosing a Password?
Some
systems have programs that check the password strength and can disallow
a poor choice, but not all systems at SHU have this capability. To
avoid problems, follow these basic guidelines when choosing your
password:
- Use at least eight
characters; the more characters, the better (as long as you can
remember them). A 15-character password composed only of random letters
and numbers is about 33,000 times stronger than an 8-character password
composed of characters from the entire keyboard. If you cannot create a
password that contains symbols, you need to make it considerably longer
to get the same degree of protection. An ideal password combines both
length and different types of symbols.
- Make
your password easy for you to remember but hard for someone else to
guess. Picking letters from a phrase that's meaningful to you may be
the source for a good password. In this way, your password is really a
"pass phrase." ("Do you know the way to San Jose?" could be
D!Y!KtwTSJ?)
- Intersperse punctuation marks or symbols such as #, $, %, etc. Do not use a blank space.
- Always use a mixture of upper- and lower-case characters.
The table below demonstrates how much harder it gets to guess a completely random password based on its length.
| Password Length | Number of Passwords (Upper/Lower Case, Numbers and Punctuation) | Time to Try All Combinations (1,000,000 trys/second) |
| 1 |
94 |
94 us |
| 2 |
8,836 |
8.83 ms |
| 3 |
830,584
|
0.83058 sec |
| 4 |
78,074,896 |
78.0749 sec |
| 5 |
7,339,040,224 |
2.0386 hours |
| 6 |
689,869,781,056 |
7.9846 days |
| 7 |
64,847,759,419,264 |
2.05 years |
| 8 |
6,095,689,385,410,816 |
193.16 years |
Password strategies to avoid
Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:
- Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not help make secure passwords.
- Avoid simple transformation of words and phone numbers ( tiny8, 7eleven, dude!).
- Avoid your login name.
Any part of your name, login, birthday, social security number, or
similar information for your loved ones constitutes a bad password
choice. This is one of the first things criminals will try.
- Avoid dictionary words in any language.
Criminals use sophisticated tools that can rapidly guess passwords that
are based on words in multiple dictionaries, including words spelled
backwards, common misspellings, and substitutions. This includes all
sorts of profanity and any word you would not say in front of your
children.
What Are Some Strategies for Choosing a Good Password?
Use lines from a childhood verse:Verse Line: Yankee Doodle went to town
Password: YDwto#t0wn
Use lines from a favorite song:Lyric: How Much is that Doggie in the Window?
Password: H$itditw1?
City Expression: Chicago is my kind of town too
Password: CimYK0t2!
Expression: Two Swiss Tourists went to see NYC
Password: 2StwtcNyc!
Foods disliked during childhood:Food: rice and raisin pudding
Password: ric&raiPudng
Note:
Obviously, you shouldn't use any of the passwords used as examples in
this document. Treat these examples as guidelines only.
Keep your passwords secret
Treat your passwords and pass phrases with as much care as the information that they protect.
- Don't reveal them to others.
Keep your passwords hidden from individuals who could pass them on to
other less trustworthy people. Passwords that you need to share with
others, such as the password to your online banking account that you
might share with your spouse, are the only exceptions.
- Protect any recorded passwords.
Be careful where you store the passwords that you record or write down.
Do not leave these records of your passwords anywhere that you would
not leave the information that they protect.
- Never provide your password over e-mail or based on an e-mail request.
Any e-mail that requests your password or requests that you to go to a
Web site to verify your password is almost certainly a fraud. This
includes requests from a trusted company or individual
- Change your passwords regularly.
This can help keep criminals and other malicious users unaware. The
strength of your password will help keep it good for a longer time.
- Do not type passwords on computers that you do not control.
Computers such as those in Internet cafés, computer labs, shared
systems, kiosk systems, conferences, and airport lounges should be
considered unsafe for any personal use other than anonymous Internet
browsing. Avoid using these computers to check online e-mail, bank
balances, business mail, or any other account that requires a user name
and password. Criminals can purchase keystroke logging devices for very
little money and they take only a few moments to install. These devices
let malicious users harvest all the information typed on a computer
from across the Internet—your passwords and pass phrases are worth as
much as the information that they protect.
How often should I change my password?
The University requires that students and faculty change their passwords every 180 days. Employees must change their passwords every 90 days.
