SLAC Computer Security		Search SLAC
SLAC Home | Computing Home | Computing Outages | Help

Suggestions for Selecting Good Passwords

This article on choosing good passwords is by Lionel Cons of group CN/SW at CERN. It appeared in CERN Computer Newsletter 210. Mr. Cons kindly allowed us to adapt it for SLAC users.

Introduction

A good password:

• is not guessable by any program in a reasonable time (less than one week)
• is easily remembered (so there is no need to write it down)
• is private (it is used and known by one person only)
• is secret (it does not appear in clear text in any file or program or on a piece of paper pinned to the terminal).

Remark: even if you use very good passwords you should change your passwords from time to time (at least twice a year).

Why you should choose good passwords

The use of a bad password may allow someone to use your account and therefore to use, modify, corrupt or destroy any of your files or any files that you are allowed to modify.

As many of the computers at SLAC are connected together, the mis-use of one account on one computer may lead to problems for several accounts on several machines, including big, expensive ones.

As stated in the 'Computer Account Responsibilities' form (a set of rules agreed by every user of a SLAC computer requiring an account) every user must take care of protecting his/her account and data. If you use a bad password, you allow someone to use or mis-use SLAC facilities and you are responsible for that. Furthermore, if someone using your account caused problems, you will be accused of this and you've got no means to prove that it was not you!

How many passwords should you have?

You will probably hear conflicting advice on this topic. On the one hand, having one good password that you can remember is a convenience, helps keep you from the hassle of getting your passwords reset if you forget them, and helps keep you from committing the security breach of writing your passwords down. One the other hand, if someone does obtain your password, they have access to all of your accounts on all systems. This is one of the primary ways that hackers jump from system to system and site to site.

It also may not matter how hard your password is to guess. Some of the primary methods used today to collect passwords are 'sniffers' on the ethernets or on the keyboards of computers that have been broken into. If you log in from another site, or using a "public" machine at a conference, or from home using an Internet Service Provider, you expose your password.

A good compromise is to have one password for each security 'domain' that you deal with. A security domain can be thought of as an area that has distinct security requirements that should keep it separate from other things that you do. For instance, if you have several accounts for general use, email, etc. at SLAC, they could all use the same password. If you had another account at SLAC that had administrator or super-user privileges on a machine, then that is a separate domain and should have a different password. Accounts at SLAC should have different passwords from accounts at other places. You especially should not have the same password on an online service provider as you do on your SLAC account. Passwords for web-based services and other Internet services are generally not very secure and shouldn't be reused for your SLAC accounts.

If you're unsure about the security requirements of systems that you have access to, ask your system administrator whether there are any guidelines, or possibly even some strict requirements, about password selection and management that should apply to you.

How to choose a password that is not easily guessable

The programs that try to guess passwords (or the attacker of a machine) do not try all existing passwords, they only try a large number (10^9) of "frequently used" passwords. So if you stay out of this search space you are reasonably safe; to do so you can follow the following guidelines:

First, here is what you should NOT do:

• Don't use your login name in any form (as-is, reversed, capitalized, doubled, with a prefix, with a suffix, etc.).
• Don't use in any form your first or last name and, more generally, any information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the make of your car, the name of the street you live on, the name of your spouse or of your children, etc.
• Don't use a word contained in any dictionary of any language, spelling lists, or other lists of words (acronyms, sequences of letters like 'abcdef' or 'qwerty', place names, car names, cartoon heroes, etc.).
• Don't use a password shorter than eight characters or with only alphabetic characters or only digits.

Then, here is what you should do:

• Do use a password with mixed-case alphabetics, digits, punctuation.
• Do use long passwords (with 8 or more characters).

Important note: please remember that each operating system imposes its own restrictions:

• UNIX: you can use all printable characters, case IS significant. The maximum length is 63 characters.
• VMS: you can use all printable characters, case IS NOT significant and you can use long passwords (up to 32 characters).
• Windows: You can use all printable characters, case is significant. You must use characters from 3 of the following 4 character sets (lower case alpha, upper case alpha, numeric, special). Passwords can be up to 14 characters in length.

Remark: if you use mixed-case characters, do not use the following methods:

• all lowercase or all uppercase
• only the first or the last character in uppercase
• only vowels in uppercase
• only consonants in uppercase.
• what are now considered "standard" substitutions to get around the rules such as 0 for o, 3 for e, 1 for i or l, 7 for t, etc.