by John Duksta, Lead IT Security Specialist, CIS

Password Security

The importance of choosing a strong password cannot be underestimated. Here at Brown, a large percentage of computer compromises can be directly traced to weak or trivial passwords being set for user accounts. Once a machine is compromised, it is often used to send spam or distribute pirated material. It is fairly simple to select a strong password and for most people, once they are past the first week or two of using the new password, muscle memory takes over and does the typing for them.

What Not To Use

User passwords are often the weakest link in the computer security chain. Remembering unrelated strings of letters, numbers and symbols is hard. Thus, people tend to use things that they can remember easily, such as the name of their significant other or their cat. Personal data such as this is often known by others or easily discovered by people who do not know you.

The following is a list of things to never use in a password:

• Your own name or login name
• The name of a relative (husband, wife, mother, father, brother, sister, etc.)
• A pet's name
• The name of your favorite food, color, band, movie, actor, character etc.
• Any relevant personal date (birthday, anniversary, etc.)
• Any English or foreign dictionary word (bonjour!)
• Any proper noun (NewYorkCity)
• The name of your computer (MaxPower)
• The name of any application that you use (PhotoShop)
• Keyboard patterns like 'qwerty'
• Any of the above prefixed or suffixed with a single digit (NewYorkCity7)

Use a pass phrase instead of a password

Ideally, your password should be:

• At least 8 characters long
• A mix of upper and lower case letters, numbers and special characters
• Easy for you to remember so you don't have to write it down
• Hard for others to guess

The problem with creating a password like this is, of course, remembering it. Many people, myself included, use the technique of creating a password out of a phrase. Using lines from a favorite song or poem is a good way of remembering your password. Taking the first two lines of Robert Frost's "The Road Not Taken"¹ yields the following very strong password:

"2rd1ayw&sIcntb"

Changing your password periodically

Here at Brown we have no technical solution in place that forces users to change their passwords periodically in accordance with the Computing Passwords Policy. You could spend your entire university or work career here at Brown with the same password, but this would be a very bad idea. I've worked in places where users have been required to change their password every 30 days. That is probably too frequent because the user is just getting used to a new password when they have to change it, leading them to write it down somewhere.

If you have a strong password like the one above (and you should) then changing it every three to six months is sufficient. Additionally, if your computer is compromised (by a virus, trojan, or piece of spyware) you should consider your current password to also be compromised and change it once your computer is rebuilt and free of any malware.

For more information about password security, please see the CIS Password FAQ.

1. "Two roads diverged in a yellow wood and sorry I could not travel both"