Password Security: Selecting and Storing Your Password

by Lanette Olsen

Security: Measures adopted to guarantee freedom or secrecy of action, communication, or the like.

Password: A secret word or phrase that one uses to gain admittance or access to information.

Your password -- your secret word or phrase -- allows only you access to the University of California, Davis' computing resources. Like the key to your home's front door, your password keeps out unwanted intruders. Would you leave your house keys lying around to be picked up by just anybody? And in this day and age, how many people hide their keys underneath the front door mat? So then, why are electronic passwords still scribbled on sticky notes on computer screens or stashed under keyboards or in the back of desk drawers?

According to some analysts, more than a million passwords have been stolen to date. It is surprisingly easy to guess or steal passwords. Hackers can launch a dictionary attack by comparing your password with every word in a dictionary -- foreign as well as English -- in a matter of minutes. Or they can use "sniffers," programs that read every keystroke sent from a machine, including passwords. You can take measures, however, to reduce the likelihood that such schemes will be successful when it comes to your password. Memorize your password, rather than writing it down; never share your password with anyone; never send your password via email; and don't choose one that is too predictable or easy to guess.

Why is this important?

Someone who guesses or steals a password can conceivably access files, email messages, funds, and personal information. This may allow the hacker to change or destroy files or send email threats in someone else's name. And this chaos can extend beyond just one account. Once intruders gain access to a system, they can monitor other machines and systems on the same network and even monitor the remote systems to which the local users connect. For example, an unwanted intruder might, by way of a stolen password, gain access to confidential student or University financial information.

What can you do to help?

Well, to start with, don't leave that password lying around. Passwords, like the keys to your front door, provide security only if handled properly. Network and systems administrators can enhance security through the use of advanced security features (such as firewalls, encryption and authentication), but ultimate responsibility comes back to you, the end user.

What to include in your password:

Choose a password that is easy for you to remember but difficult to guess. It should contain at least seven characters.
Use punctuation marks or symbols within your password. Do not use a blank space!
Always mix upper- and lowercase letters.
Select a unique password, not one that you are using for some other purpose.
Specifically, if you are or will be using central computing systems at UC Davis, your password must include
- 7 to 8 characters
- At least one upper-case letter
- At least one lower-case letter
- At least one number
- At least one special character (must be $ if you are or will be using VMS).

What not to do:

Don't write down your password!
Don't send your password via email. Email is not secure. (Keys in the mail? Never!)
Don't store your password in a file on your computer.
Don't use dictionary or foreign words, names, doubled names or first/last names and initials.
Stay away from simple transformations of words (e.g., 7eleven, seven11, etc.) or any alphabet or keyboard sequence (backwards or forwards).
Don't even consider short words, single characters, phone numbers, birth dates or numbers substituted for letters (like a zero instead of the letter O).
Be wary of programs unnecessarily requiring your password. Once you are logged in to a given computer system, it should not need to know your password again.

And remember to change your password if:

You have had the same one for more than six months.
You have told it to anyone (even Mom) or have written it down anywhere.
You have logged onto a system from another city or campus.
You are notified that it does not meet current standards.

Strategies for choosing a good password

The following are only suggestions for developing a secure password. Please, please do not use these examples! Including them in this document compromises their security.

Lines from a favorite childhood verse.
Example: London Bridge Is Falling Down
Password: LBif%Down
Expressions about a favorite geographical area.
   Example: I left my heart in San Francisco
   Password: iLmHiS#F
   Example: Sunny California
   Password: suNIc*al!
Foods liked or disliked as a child.
   Example: Fish on Fridays
   Password: FoFda!
   Example: Chocolate Pudding
   Password: cHO%dinG

Try substituting antonyms or synonyms for your chosen words or interweave letters and characters from successive words. Ultimately, any password you choose has to be known to you and you alone and must conform to local procedures for constructing passwords.

For further information on this and other security issues, visit the Web at http://security.ucdavis.edu/. And remember, ditch those sticky notes!

Lanette Olsen is a technical writer. Doreen Meyer, from IET's Campus Data Center, contributed to this QuickTip.