Guidelines for good passwords
The security of our cluster relies in large part on the security of users' passwords. Passwords are checked regularly for strength and users with weak passwords may be locked out.
Understanding the threat
Computers connected to the Internet are almost constantly under attack. Many of these attacks come from automated "bots" that attempt to guess passwords, either by trying common words or simply trying random combinations of characters. The goal is to break into accounts so that they can then be used to send spam or break into other machines.
Things to avoid
Some passwords are particularly easy for automated programs to guess. Avoid using the following as passwords:
- Your username, or a derivative of your username (e.g., your username backwards or with a number on the end.)
- The word "password".
- Your name.
- Common dictionary words. A word like "something" is a very weak password. "something1" isn't really much better. While trying an entire dictionary's worth of passwords would be very tedious for a human, it's trivial for a computer program.
- Sequences of adjacent keys on the keyboard (like "qwerty")
How to pick a good password
Besides avoiding the problems noted above, a good password should meet the following criteria:
- It should be at least 8 characters long. This makes brute-forcing the password by trying random character sequences less practical. Generally speaking, the longer the better. (The maximum allowed password length on patas is 79 characters.)
- It should contain at least one number or punctuation mark, and a mix of uppercase and lowercase letters. This enlarges the set of characters that must be tried in order to successfully guess the password.
One good way to create a relatively secure password is to start with a phrase you find easy to remember. For example, we could start with "The quick brown fox jumped over the lazy dog." We could then take the first letter from each word, making it "Tqbfjotld." Finally, we can make this more secure by replacing some of the letters with numbers; for example, "Tqbfj0t1d." This is now a reasonably secure password, and the phrase makes an easy mneumonic for remembering it. (But please don't use this one, or any other password that's been published on the web!)
Remembering your password
Even with a good mneumonic, remembering your password is sometimes difficult. If you feel the need to write it down, do so, but do not store the password on or near your computer. I often suggest that people write it on a slip of paper and put it in their wallet. Naturally, if you do this and then lose your wallet you should change your password.
If you happen to forget your password it can be easily reset. Just email linghelp@u
from your UW email account, and a new temporary password will be emailed to you.
- 17 Apr 2009
Topic revision: r1 - 2009-04-17 - 18:41:58 - brodbd