SLAC Computer Security
Search SLAC
Password Management

Password Policy
SLAC Account Password Policy

Changing Passwords
Simple Instructions for Changing Passwords

Good Passwords
Suggestions for Selecting


Security starts with you, the user. Keeping passwords on sticky notes, scraps of paper or even in a text document on your computer is unsafe. Using the same password over and over, across a wide spectrum of systems and websites creates the nightmare scenario where once someone has figured out the password, they have access to every part of your life (systems, e-mail, retail, financial, and work). 

Passwords for elevated privileged accounts which have stricter requirements, i.e. 16 characters minimum, are very difficult to remember.

Passwords for Mission Critical Systems (e.g. Accelerator Controls, Business Information Systems), they should be different than any of your other passwords, and it is strongly suggested you use a different algorithm for selecting these passwords.

What can you do to protect your passwords?
  1. NEVER share your password (a violation of policy). Especially with third parties who offer to consolidate your mail or provide other services, if you just give them your password. Don't do it!

  2. Memorize the password for each account. Not easy if you have more than a couple of accounts.

  3. Write down hints for each account and password.  This is better than writing down the password, but someone good at social engineering might be able to crack them.

  4. Use the SLAC supported ESCROW* application on UNIX.  Note: Might be complex for non-UNIX users.

  5. There are a number of unsupported but available software solutions that can be used on a computer, mobile phone or thumb drive to store numerous different passwords. Some free software includes Password Safe, KeePass, , KeyWallet,  Password Gorilla. Available for purchase are Password Manager XP,  PasswordVault, among many others.

* ESCROW is a system whereby the "secret" can be kept in a secure location, and only authorized individuals, after providing a PGP passphrase, can access the "secret". Escrow allows designated parties to update the "secret". So, in this case, Hector would manage the "secret", and Networking could view it if they were authorized, and were able to enter their PGP passphrase. We currently manage the BaBar unix root passwords this way. CD has access to the BaBar unix root passwords via escrow, and would access this password only if necessary.

Owner: SLAC Computer Security
Last Updated: 02/28/2011
Feedback: Please send to
Computer Security Feedbac