Personal tools
You are here: Home PopNet Help: Using PRI's Networks Password Guidelines
 

Password Guidelines

PopNet guidelines for creating a password.

Why have security?


On multiuser computing systems, there is always a trade-off between security and convenience. If a very high level of security is enforced, the system will be awkward and unfriendly to use. If minimal security is enforced, the system will become a playground for electronic vandals and it will be impossible to keep it running well. Our goal is to find that compromise between security and convenience where it is reasonably easy to get work done, and yet it is fairly difficult for malcontents to break into our system or access information they shouldn't. To achieve this goal, it is necessary for all users to observe a few simple precautions.

Passwords


The importance of choosing good passwords cannot be overemphasized. The amount of damage crackers can do from outside the network is limited. Once on the network, however, they have access to much more information. Crackers are very resourceful, and are aware of many known and unknown security holes in systems once they are logged on. The key to maintaining the peace is to not make it easy for the cracker. In 1988, the CERT (Computer Emergency and Response Team) was formed at Carnegie-Mellon. In every computer break-in incident that has been reported to CERT upon further investigation, nearly every incident boiled down to someone with a poor password.

By the nature of the UNIX operating system, the file that contains the list of everyone's one-way encrypted password is readable by anyone on the system. Moreover, "out of the box," many UNIX systems have known security holes that allow crackers to get the password file without even being on or near the system. Once a cracker has the password file, he can use it to try to "guess" what people's passwords are using the same UNIX encryption system. To combat this, a program called "Crack" was written. What it does is to go through the password file and attempt to guess people's passwords. It has a fairly complex set of rules, and a large dictionary of words from which to choose. It is not unusual when this program is first run for it to guess as many as 20-30% of the accounts on the system! We run this program regularly here.

Anyone can do exactly what we are doing, and within a matter of minutes find an account with a poor password. In fact this is one of the most popular forms of attacks by crackers. The famous "Internet Worm" included a scaled-down password guesser that it used.

Simple rules and tips for choosing passwords


  • Above all, do not use a word or reversal of a word in the dictionary or proper noun! (such as "apple" or "elppa")
  • Putting a number at the beginning or end of a word in the dictionary does not make it harder to guess! (such as "cereal1" or "8fruit") Numbers, in general, make a password easier to guess.
  • Don't use your name, or a form of your name (such as "johnson", "nosnhoj", "davidb" or "bdivad")
  • Don't use famous names (such as Thoreau, Phillies, or Kennedy)
  • Similarly, any password which is derived from your name, department, phone, social security number, or other personal information is unsuitable because it can be easily guessed. (Much of this information is also kept online by either us or public University records.)
  • Technically good passwords contain purely random characters, but these are very hard to remember. Try using the first letters of the words to a song or poem. (Just don't sing it every time you sit down and type your password) Try taking a word and intentionally misspelling it, and using mixed case. (Such as "KadiLak")

Once you have a password, it is a good idea to change it at least once or twice a year with the passwd command. The common rule is to "never write it down". Such rules can be over-generalized. Which is better, to write down a really good password like "Rxbat#a" for a week while you are memorizing it or pick a simpler one that is easy to guess? Overall, be sensible. If you must write a password down so you can remember it, keep it where no one can see it accidentally, and destroy it as soon as you have memorized it.

Do not give your password to anyone else for any reason, even system administrators! A not-uncommon ploy is for a cracker to call up or forge e-mail saying "Hi, I'm the system administrator and we need to change something on your account, can you give me your password?" or "can you change your password to 'gullible'?" Report such incidents immediately to the (real) system administrator. If he truly is the system administrator, he does not need your password.

Changing your password


To change your password:
  • First make up a new password - see the rules above.
  • Log into Popnet. (ssh to "pop.psu.edu")
  • Type "passwd".
  • You'll be prompted for your *current* password - enter it.
  • You'll be prompted for your new password - enter it.
  • You'll be prompted again for your new password - enter it again.
  • You're finished - your new password will be in effect now.

Remember that your account is yours and yours alone. Sharing accounts with others is a violation of University policy.

Document Actions
 

Copyright ©2008, The Pennsylvania State University | Privacy and Legal Statements
Contact the Help Site Administrator | Last modified Aug 13, 2008 | Weblion Partner