A Guide to Passwords

By Sam Bennett, Information Technology Center Helpdesk

Your username and password are credentials that allow access to the MSU network, your e-mail, and many other servers and data bases that you have permission to access. When you enter your credentials, you are identifying yourself on the network. If someone were to use your username and password, they could masquerade as you and do the same things you do in your name. They could send malicious e-mail as you, subscribe to services as you, destroy your files, and a host of other possibilities that would cost you time, money, and frustration. Not only does this affect you, it can affect many others. Using your credentials, an identity thief has access to the network and could use that to hack into other machines and capture information about other users. From there a skilled hacker could get into other machines using stolen credentials and privileges. Hackers can install key logging programs that will send them the information and credentials you type to access such personal resources as bank accounts, credit cards, and online brokerage accounts, your social security number, etc. For this reason, the confidentiality of usernames and passwords is very important.

Passwords are stolen in many ways. Hackers have many tools such as dictionary crack programs that help them steal your password. Dictionary crack programs use every word in the dictionary while attempting to break into your computer accounts. These dictionaries can be any language. While skilled hackers can penetrate even well protected computers, many password security breaches are the fault of the user. Many users share their passwords with others, write them down, have them posted on their monitors, use a predictable password, or choose a password that is too easy to guess. The first step in thwarting malicious attacks is choosing a secure password.

When you choose your password, use the following rules to increase its security:

• Use a password derived from a phrase that you can remember but others cannot guess. Think of such a phrase and select letters from it to construct your pass phrase. I could use the sentence "I want to snow board in the Bridgers!" and create the acronym password, "IwtSbitB!"
• Use at least six characters; eight is better. MSU security policy requires at least six characters with a maximum of thirty. Some of the older UNIX servers will only recognize the first eight characters.
• Use punctuation marks or symbols such as ! #, $, %, etc. Blank spaces may not be used.
• Use both upper and lowercase letters.
• Use a unique password. Do not use the same password to serve multiple purposes.
• Never write your password down.
• Change your password at least every six months.
• Never use all numbers; a combination of letters and numbers works well.

To help you remember your password, use some of the following strategies:

Use lines from a childhood verse:
Verse Line: Jack be nimble, Jack be quick
Password: JbeN#jbq!

Expressions inspired by the name of a city:
City Expression: I love Paris in the springtime
Password: ILpinST
City Expression: Chicago is my kind of town
Password: CimYKot

Transformation techniques:

Technique: Transliteration
Illustrative Expression: photographic
Password: foTOgrafik

Technique: Interweaving of characters in successive words
Illustrative Expression: iron horse
Password: ihrOrnSe

Technique: Substitution of synonyms
Illustrative Expression: coffee break
Password: jaVa*rest

Avoid passwords that would be easy for anyone to guess:

Dictionary words (mackerel, dandelion, millionaire).
Foreign words (octobre, gesundheit, sayonara).
Simple transformations of words (tiny8, 7eleven, dude!).
Names, doubled names, first name and last initial (mabell, kittykitty, marissab).
Uppercase or lowercase words (MAGAZINE, licorice).
An alphabet sequence (lmnop) or a keyboard sequence (ghjkl;).
Very short words or just one character (dog, *, hi!, me, love).
Words that have the vowels removed (sbtrctn, cntrlntllgnc).
Phone numbers.
Numbers substituted for letters, like a zero instead of the letter O or a number 1 in place of the letter l.

Changing your password:

Windows 95/98/ME - Go to Start>Settings>Control Panel. Double Click the "Users" icon. Select your username and click the "Set Password" button.

Windows 2000/XP - Press Ctrl-Alt-Del simultaneously and then click "Change Password".

Gemini e-mail - Telnet to Gemini and type "passwd" or call the Help Desk.

Please contact Sam Bennett (sbennett@montana.edu) for additional information.

December 11, 2002