Selecting a Strong Password

To avoid problems with other users breaking into your account, you should change your initial password to something more secure as soon as possible. On an ongoing basis, we recommend that you continue to change your password at least once each semester.

When selecting a password, your goal is to make it as difficult as possible for someone to guess. By doing this, you leave a password "cracker" with no other alternative but to search through every possible combination of letters, numbers, and punctuation. A search of this sort, even conducted on a machine that could try one million passwords per second (most machines can try less than one hundred per second), would require, on the average, over one hundred years to complete. There are some simple guidelines, which if followed, would force a cracker to conduct such a search.

Periodically, Computing Services runs a password cracker utility. The password cracker inspects users' Andrew passwords and automatically emails those individuals who use insecure passwords.The password cracker detects passwords with the following vulnerabilities:

• all numeric passwords
• passwords that are comprised of one or more words that can be found in a dictionary
• passwords that are comprised of any dictionary word with a number prepended or appended
• passwords that are commonly found proper names

Guidelines for selecting a more effective password

Follow these guidelines to select a more effective password. Please do not use any of the examples in this document as your password; "crackers" can read these files and may target specific examples:

• Do change your password. Initially, all students, faculty and staff members have a password set for them. You should change this password to your own unique string as soon as possible.
• Do create a password that is at least eight characters long and is a combination of upper and lowercase letters as well as numeric values or special characters.  Avoid simply changing the case of the first or last letter as this may be insufficient to prevent password guessing.
• Do change your password often. We recommend a new password once per semester.
• Do choose a password that is easy to remember so you don't have to write it down.
• Do choose a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
• Do use a system for formulating passwords that makes them easier to remember such as:
  • Choose a line or two from a song or poem, and use the first letter of each word.  For example, In 'Xanadu did Kubla Kahn a stately pleasure dome decree!' becomes 'IXdKKaspdd!'
  • Choose a password that alternates between one or two consonant and one or two vowels. This provides nonsense words that are usually pronounceable, and thus more easily remembered. Examples include 'root+Boo', 'quaDpop57', 'mOotop75c'.
  • Choose two short words and concatenate them together with a punctuation character between them.  Examples include 'dog;Rain', 'booK+mug', 'kid?gOat', etc.
  • Choose a collection of words that formulate a sentence such as 'my Pa55word is Strong!'

Don'ts for Selecting an Effective Password

• Don't use your name, your user ID, or the name of a spouse, child, friend or pet.
• Don't use information easily obtained about you, such as license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
• Don't use a password that is comprised of all digits, or all the same letter.
• Don't use a word contained in any dictionary, spelling list, or other word list in any language.
• Don't use a simple transformation of a word such as reversing the spelling, changing upper-case to lower-case or vice versa, or using all capitalization.
• Don't use a password shorter than eight characters. Use a longer number and you'll increase the number of possible password combinations a cracker has to guess.