Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Accounts
Managing Your Password
Your Account and Password
Select a Strong Password
Change Your Password
Forgot Your Password
Active Directory Password
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Training & Education
Technical Support & Services
Campus Partners
Information Security Office (ISO)

Select a Strong Password

To avoid someone gaining access to your account, you should change your initial password to something secure as soon as possible. On an ongoing basis, we recommend that you change your password at least once each semester.

When selecting a password, your goal is to make it as difficult as possible for someone to guess. By doing this, you leave a password "cracker" with no other alternative but to search through every possible combination of letters, numbers, and punctuation. A search of this sort, even conducted on a machine that could try one million passwords per second (most machines try less than one hundred per second), would require, on the average, over one hundred years to complete. There are some simple guidelines available from the Information Security Office (ISO) web site, which if followed, would force a cracker to conduct such a search.

Periodically, Computing Services runs a password cracker utility. The password cracker inspects Andrew passwords and automatically emails those individuals who are using an insecure password. The password cracker detects passwords with the following vulnerabilities:

  • passwords that contain all numbers
  • passwords that are comprised of one or more words that can be found in a dictionary
  • passwords that are comprised of any dictionary word with a number prepended or appended
  • passwords that are common proper names

Having a Strong Password is Important

Some believe that having a password which is easy to type or remember is more important than security. Often this is because they are not particularly concerned about the confidentiality of the files in their Andrew account.  Keep in mind, your Andrew account is more than just a collection of your files. When an unauthorized person gains access, it can lead to any of the following activities:

  • Send electronic mail as if they were you. While this may seem harmless at first glance, there have been cases where falsified electronic mail has caused real damage. Such messages can include death threats, fraudulent offers for services or sale of merchandise, or inappropriate or harassing remarks to someone with which you regularly correspond, or to a complete stranger. Further, if you are in a position of authority (e.g., faculty member, staff member with supervisory duties) falsified messages telling a student or employee that they are going to fail a class or be fired can be presented. There is no way to prove that someone else sent such messages if they authenticated themselves to the system as you, using your password.
  • Read your electronic mail. This would, of course, include any messages which you consider to be confidential.
  • Use your account as a "launching point" to initiate attacks against other computer systems. Should such activity occur, you could lose access to the account, and your ability to login, for days or even weeks while your account is examined for the hackers code and hidden files and directories. In extreme cases, your entire account may be copied and given to authorities under a court order.
  • Gain access to other services. This might include course materials through Blackboard, your grades and registration information, network registration, or other information.

The password to your account is the last line of defense against a potential intruder. Maintaining good password security is as important, and as easy to do as locking the door to your house or your car. A truly determined attacker will find ways to break-in, but making it easy for them is not in your best interest. 

Last Updated: 9/9/09