Advice on Choosing a Password

Most, if not all, of computer accounts for undergraduates will initially have the password assigned by ITS. We strongly recommend that all students change their password as soon as possible. Because assigned passwords must be supplied to many departments on campus, there is a small risk that someone might get unauthorised access to these passwords.

At the beginning of the year, each account a student has access to will either have the ITS assigned password or, for accounts that remain from the previous year, have the last password used in the previous year.

The following advice on choosing a password is based on an article written by Tim Bell.

Note that some password control software performs checks that reject some of the passwords identified below as insecure.

Also note that on some systems it is in unwise to use keys on the numeric keypad in passwords as in some modes these keys do not produce digits.

Choosing a Computer Password

The University community stores a wide variety of data on computer -- student records, grades, research results, research proposals and financial information. The increasing connectivity of computers within the campus and to the outside world means that the data need to be protected carefully from unauthorised access, modification or deletion. This protection is often achieved by a password, so obtaining a password is of great value to a perpetrator. Some passwords are easier for the perpetrator to discover than others, and unfortunately computer users often unwittingly choose more vulnerable passwords. This article offers some guidelines for choosing a password that is secure.

Canterbury has a full connection to the "Internet", a facility that allows us to make direct connections to hundreds of thousands of computers internationally. This works both ways, and we are open to attack from anywhere in the world. Those sceptical of the notion that belligerent hackers might be interested in a remote New Zealand university should read Clifford Stoll's article about hackers who used a low security computer site as a gateway to more sensitive sites (Communications of the ACM, May 1988 p 484; a more colourful account appeared in the Reader's Digest, June 1990).

Passwords are generally attacked by simply trying out a whole lot of possibilities. This would be tedious to do by hand, but the serious infiltrator will use a computer to do the work. Thousands of passwords can be tested in a small amount of time; thus a good password is one that is not likely to be tried in a million or so guesses. An attacker will try out words taken from spelling checking dictionaries, personal names, initials and place names (often available from the computer being attacked!), and very simple passwords, such as a single letter. There is not enough time to try out every possible combination of letters (every possible 8-letter combination could take over 10,000 years to evaluate), so a carefully chosen password will be safe (for a few millenia, at least).

Passwords chosen using the following guidelines should be secure against known methods of attack. Some computer systems force users to choose passwords that follow some of these rules; some system administrators check from time to time for vulnerable passwords. The guidelines are from "Improving the security of your Unix system" by David A. Curry (Tech. Report, SRI International, California).

  • Don't use your login name in any form (as-is, reversed, capitalized, doubled, etc.).
  • Don't use your first or last name in any form.
  • Don't use your spouse's or child's name.
  • Don't use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
  • Don't use a password of all digits, or all the same letter. This significantly decreases the search time for a cracker.
  • Don't use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.
  • Don't use a password shorter than eight characters.
  • Do use a password with mixed-case alphabetics.
  • Do use a password with non-alphabetic characters, e.g., digits or punctuation.
  • Do use a password that is easy to remember, so you don't have to write it down.
  • Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
  • Do change your password regularly (every few months).

Although this list may seem to restrict passwords to an extreme, there are several methods for choosing secure, easy-to-remember passwords that obey the above rules. Some of these include the following:

  • Choose a line or two from a song or poem, and use the first letter of each word. For example, "In Xanadu did Kubla Kahn a stately pleasure dome decree" becomes "IXdKKaspdd."
  • Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that are usually pronounceable, and thus easily remembered. Examples include "routboo," "quadpop," and so on.
  • Choose two short words and concatenate them together with a punctuation character between them. For example: "dog;Rain," "Book+mug," "kid?gOat."

Finally, keep the password physically secure. If you must write it down, don't stick it on your computer terminal! Resist the temptation to tell it to anyone. If someone needs access to some of your files there will usually be a way to allow it without giving them your full privileges.

Passwords are like toothbrushes: you should choose a good one, don't share it with anyone, and change it every few months.