Secure IT! News

Secure IT! logo

Make January "Change Your Password" Month

Change Password dialog boxIt should be almost automatic by now: Reset your clock for a time change and then check and/or replace the batteries in your smoke detectors.

Here's another good habit to adopt. ISG suggests that when you put up your new calendar for the year, change your passwords as well. While once a year should be considered a minimum for password changes (better to change them at least every six months), a new calendar can be a good prompt for "in with the new / out with the old" stale passwords.

A password can be your first line of defense in protecting your computer and its contents, so make sure it's a strong one. Weak passwords can be quickly cracked by dictionary attacks or brute-force, and rainbow tables make it possible "to break any Windows password up to 14 characters in a few minutes" (according to Project RainbowCrack).

Strong passwords should be long (at least 8 characters but if possible, 14 or better) and a good mix of characters, numbers, case and special characters. They should also be easy for your to remember but hard for others to guess.

When you're ready to make the change, here are our recommendations on creating a good strong password.

  • Don't use dictionary words, English or otherwise.
  • No personal information, especially dates such as your birthday.
  • Have different passwords for different accounts. Don't use your Brown passwords for personal accounts.
  • The more sensitive or critical the information is, the stronger the password should be.
  • Use a variation on a pass-phrase that is meaningful to you so it's easier to remember. For example, if you like musicals you might construct  RnDpzoRz&)(Nk10  which can be derived from the first line of "My Favorite Things", i.e., Raindrops on roses and whiskers on kittens.
  • Change your password if your computer is compromised or you suspect that it was captured in a phishing expedition.

Extras:
» Link to MyAccount for resetting your network password now.
» For more suggestions on good computing habits for the new year, visit Your 2009 Computer Resolutions
» See also the Computing Passwords Policy and CIS's Password FAQ.

 

1. Dictionary Attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. (from SANS.org)

2. Brute Force: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. (from SANS.org)

3. Brown's network password rules:

  • MUST be at least eight alphanumeric characters long.
  • MUST contain digits or punctuation characters as well as letters (e.g., 0-9, !@#$%^&()_~-=`{}".‘)
  • MUST contain both upper and lower case characters (e.g., a-z, A-Z).
  • Must NOT contain the same character repeated more than 3 times.
  • Must NOT include more than 3 sequential characters on a computer keyboard.
  • Should NOT be a word in any dictionary, language, slang, jargon, etc.
  • Should NOT be solely based on easily guessed personal information, names of family members, pets, etc.
  • Should NOT be shared.