Strong computer passwords
Strong passwords.
.In general terms, the aim should be to create a password that is easy to remember and to type when needed, but very hard for anyone else to guess, even for someone who knows you well. It should also be long enough and/or complex enough to make any dictionary or brute-force attack impractical - given a choice between these two properties, length is usually better than complexity, but long, complex passwords are, of course, better still.
The use of the term 'password' is actually slightly misleading, as it implies that your password should be based upon a single word. A more appropriate term would be 'pass phrase' - a pass phrase, as its name implies, should be based upon multiple words. Pass phrases are often easier to remember and to type and are naturally longer than passwords, thus making them inherently more secure. Although you will find the term 'password' widely used not only within the University but throughout the Internet as a whole, whenever you see the term 'password' used you should be thinking 'pass phrase' instead. For the remainder of this document we will refer to pass phrases rather than passwords in order to emphasis the point.
Your pass phrase should be constructed using multiple unrelated words that, as a sequence, are unique to you. One common technique for achieving this is to randomly select a set words from a dictionary using a series of dice throws (known as 'dice ware'). Although such randomly picked words are ideal when creating a pass phrase, meaningful sequences of words can be acceptable if it is a sequence that you have made up yourself (note that well-known phrases such as those from literature and music do not fall into this category and should be avoided).
Once you have created your basic pass phrase from a set of unrelated words you can make it even more secure by distorting it in some way. Many people already try to make their passwords stronger by adding numbers or symbols or by changing the capitalization in some way (e.g. 'Dr@g0n28'). These are still very weak passwords, but if this same technique is used in a pass phrase then you can make them much stronger. It is also a good idea to include at least one 'nonsense' word in your pass-phrase - this could either be a word you have made up yourself, or it could be built from another phrase. Such 'nonsense' words can be constructed by selecting a second phrase and taking the initial (or second, or final) letters of the words and combining them, or by selecting two words and alternating their letters.
Here we provide a list of a few distortion techniques - you should use at least a couple of these on your pass phrase in order to make it more secure:
deliberately mus-spelling or using a phonetic spelling of your selected words
reversing individual words
adding punctuation in unusual places (not at the beginning or end of words)
substituting one character for another (although you should avoid common substitutions such as 'o' → '0', 'i' or 'l' → '1', or 'a' → '@')
mixing upper and lower case
including a 'nonsense' work in your pass phrase
one that you have invented yourself
selecting a second phrase and taking the initial (or second, or final) letters of the words and combining them
selecting two words and alternating their letters
None of these techniques, when applied to a single word, will result in a strong pass phrase. If, for some unavoidable reason, you find your pass phrase limited to no more than 8 characters then you can construct a reasonably secure pass phrase by generating a basic pass phrase, reducing it to a nonsense word (using one of the methods above) and then applying some of the other distortion techniques to it.
Things to avoid
Having described the properties of a strong pass phrase, there are some things to avoid. Specifically, your pass phrase should not be based upon:
personal information
your name, or those of close friends, relatives or pets, in any form (first, middle, last, maiden, nickname or initials)
your birthday or anniversary date, or those of close friends, relatives or pets
any other significant date in history
your username, or a permutation thereof
any other personal identifiers (e.g. staff Id/student Id, national insurance number, bank account number, car registration place)
current or previous addresses or phone numbers
current or previous employers/educational establishments (e.g. names, departments, subjects, colleagues names)
your hobbies, interests or other activities
anything else that the public or your fellow students/colleagues know you strongly like or dislike
any single word in the dictionary (including foreign language or subject-specific dictionaries)
any names from popular culture (e.g. brands, bands, sports teams or personalities, celebrities, films, cartoons, fictional characters, sci-phi jargon)
any geographical location (especially ones you have visited or are associated with you)
swear words (the computer is not going to be offended, but these are unbelievably common and are some of the first words that are tried)
well known sequences of characters, such as keyboard patterns ('qwerty', 'qazwsx', 'zxcvbnm') or the alphabet ('abrade')
well known sequences of numbers, such as '123456', '314159' (pi), '271828' (e), or equations, such as 'E=mc2'
any words or phrases which are commonly or readily associated with the information system or service to which the pass phrase can provide access
any words or phrases which have been used as example passwords in literature or on the internet
To reiterate: your pass phrase should not be based upon any single word, even with the suggested distortions applied, as it would still be considered a weak pass phrase.
An example
Note that this example is not perfect as it distorts the original pass phrase in so many different ways that it becomes very hard to remember, but it does serve to illustrate as many of the above techniques as possible. The resulting pass phrase is more than sufficient to be considered a strong pass phrase.
Basic pass phrase: mole running lair slain badge clay less
Mich-spelling: mole rennin lair slay badge clay less
Reversing: mole rennin lair slay badge Yalu less
Add punctuation: mole rennin l.air slay bad%ge yalc le<ss
Substitution: mole ro^nin l.air s]ayn bad%ge yalc le<ss
Mix case: mOle ro^nin l.aiR s]ayn bad%ge Yalc le<ss
Add a nonsense word built from alternating the letters of 'horse' and 'idea':
mOle ro^nin l.aiR s]ayn hiodresae bad%ge Yalc le<ss
Changing your pass phrase
You can change your pass phrase using the password changing page. You will be prompted for your username and your current pass phrase, and you will need to enter your new pass phrase twice (to ensure that you have not made any mistakes when typing your pass phrase).
Your new pass phrase must meet the following basic requirements:
it MUST have a minimum of 8 characters
it MUST include in the first 8 characters at least one lower-case letter (a-z), one upper-case letter (A-Z) and one number (0-9)
it MUST include in the first 8 characters at least one non-alphanumeric character (one that is not a letter or a number)
Your new pass phrase will be checked by the system to determine whether it meets these basic requirements. It will also have other checks performed against it to determine how strong it is. Your pass phrase will be rejected if it does not pass these checks, but even pass phrases which do pass these checks are not guaranteed to be secure - you should always ensure that you follow our guidelines on creating strong paraphrases.
If you have forgotten your pass phrase then please go to the IT Service Desk in the Library in order to have it re-set. Be sure to take your staff or student ID card with you in order to verify your identity.
copy write by:- http://www.st-andrews.ac.uk
No comments:
Post a Comment