Computer systems and accounts are broken into with frightening regularity. The one of the best defence against standard attacks is a secure password. Think of your password as a key - telling someone else your password is like giving them a copy of your house-keys. Having an insecure (or bad) password is like leaving your front door unlocked. Protect your data and software as vigilantly as you would protect your tangible belongings.
You can protect your data and software from being stolen or modified by an intruder if you have a good (or strong) password. There are several principles involved in selecting a strong password.
How to choose a secure password
Using the following techniques will make your password harder to guess. The time required
for an intruder with a PC to break your password by exhaustive trial will be
prohibitively long. However, a process running exhaustive trials over several passwords
for a month may break some passwords. To combat this, you should change your password
regularly and often. If you change it often enough, intruders will never have enough time
to break it with a "brute force" (exhaustive trial) approach.
A password should never be reused. When changing your password, never add a number or
character to your old password. It is very easy to guess my$Pl_x1 if you know that a
previous password was my$Pl_x.
- DO Use two or three UNRELATED words with some non-alphabetic characters or deliberate misspelling.
- DO Take the first letter from each word of a phrase to form an easily remembered non-word.
- DO Always include non-alphabetic characters (numbers, punctuation marks,symbols) but do not replace o with 0 and I with 1 or other obvious combinations.
- DO Use a MINIMUM of 8 characters. If your system allows more than 8 characters, it is more secure to use more characters.
- DO Use mixed upper and lower case letters if your system is case-sensitive. Do not capitalise only the first or last letter (eg, Mich37bo is not as secure as mICh37Bo).
- DO Change your password regularly and often.
- DO NOT Reuse a password that you have had before. Password cracking algorithms have been available for a long time. Passwords can be broken using these intensive computerised processes, but it takes a long time, so change your password often.
- DO NOT Leave an account logged in and walk away, NOT EVEN FOR A FEW MINUTES.
- DO NOT Use the same password on multiple accounts. If the password is broken on one account then it is broken for ALL accounts. Do not just add or modify a single character in the password because this makes all of your passwords easily guessable if one password is known.
- DO NOT Use any word from a dictionary in any language. Most forms of password attack use dictionaries as a basis for password guessing.
- DO NOT Use personal information like your name, birthdate, maiden name, car registration number, room number, department name, machine name, location, spouse’s name, child’s name or pet’s name.
- DO NOT Use duplicated characters (aaabbbccc) which can be seen by someone watching you type.
- DO NOT Use keyboard patterns (qwertyuiop) as these can be identified easily by someone watching you type.
- DO NOT Give your password to ANYONE, not even to a friend.
- DO NOT Write your password down near your computer. It’s preferable not to write your password down at all. If you forget your password, you can have it reset.
- DO NOT Allow people to watch the keyboard while you type in your password.
- DO NOT use any date as your password.
- DO NOT use your username as your password.
Example of a Good Password
After reading all of that, you may ask, "Well, what is a good password?" One technique would be to use a two or three word phrase, and replace the first character of the first word with a [shift] + 1, the second character of the second word with a [shift]+ 2, etc, and uppercase every second character except punctuation. For example: !Yc@rSm$lLs (my car smells). Note, though, that this example should NOT be used as it is now published widely! Suggested Techniques on Unix Systems (student, dingo, fox): Unix systems recognise only the first eight characters of the password; any further characters are ignored or disallowed. Unix systems are case sensitive and allow any character (except backspace and control characters). You should use a selection of upper and lower case letters, numbers and punctuation characters. Example: b!Ue$c@R can be remembered as blue car. The command to change your password is 'passwd'
If someone asks you for your password
You should NEVER give your password to anyone else. Anyone who has your password may perform acts using your account for which YOU MAY BE BLAMED FOR.
If you are experiencing problems with your account, ITS staff may ask you for your password, so they can get into your account to try and identify the problem. Once the problem has been identified/rectified, we strongly recommend that you log on and change your password.
If Something Unusual Happens
If it appears that your password has been changed by someone else, if any new files appear in your area, if any of your own files disappear from your area or if your time of last login is not what you expect then please ring Client Service (3365 6000).
Changing your password
To change your password visit the UQconnect change password page
© 2008 UQconnect, The University of Queensland
Information Technology Services
Brisbane Queensland 4072 Australia
ABN 63 942 912 684, CRICOS Provider No:00025B
Authorised by: Director, ITS
