Passphrase Change - FAQs
Role of passwords - The role of a password is to prevent unauthorized access to data just as a key prevents unauthorized access to a house or apartment. A password should be guarded with the same care as the key to a house or apartment. The hardest part of choosing a password is making it difficult for others to guess but easy for you to remember. Writing down passwords or saving your password/passphrase within an application are dangerous practice and should be avoided.
Passphrases vs Passwords- As we all know, a password is a "form of secret authentication data that is used to control access to a resource". Because of its name, many assume that a password should be based off of a "word". In fact, passwords should not be based on words because of the risks of them being discovered by dictionary attack techniques. Passphrases provide a good way to compose strong, lengthy passwords that are easier to remember, easier to type, and naturally complex. Existing brute force and dictionary attack techniques do not take passphrases into consideration, so passphrases are currently harder to crack than traditional passwords.
- Forming Passphrases - Characteristics of a strong passphrase include the following:
- Difficult to guess given information about you or a dictionary cracking tool.
- Easy to type so that someone cannot watch it being typed Long - the longer the better.
- For the highest security on a Windows system, a password over 14 characters long is recommended.
Example Passphrases - Any sequence of characters that satisfies the passphrase requirements and a passphrase that can be easily remembered is recommended. To help with the process, we present a few ideas that may help you create a strong passphrase that is easy to remember. Be creative! A strong passphrase does not have to be impossible to remember. Good passphrase security is within your reach.
NOTE: Obviously, you shouldn't use any of the passwords used as examples in this document. Treat these examples as guidelines only!
Concept for a passphrase
I will graduate in 2010.
Wisconsin gets cold
Me gusta Sacramento
I like Dr Pepper
Thirty three trees
These are three techniques. Feel free to make up your own scheme that meets the criteria and passphrase requirements.
Characteristics/Examples of Weak/Bad Passphrases
- Your name in any form - first, middle, last, maiden, spelled backwards, nickname or initials
- Your user ID or your user ID spelled backwards
- Part of your user ID or name
- Any common name, such as Joe
- The name of a close relative, friend or pet
- Your phone number, office number or address
- Your birthday or anniversary date
- Simple variants of names or words (even foreign words), simple patterns, famous equations or well-known values
- Your license plate number, your social security number or any all-numeral password
- Names from popular culture (e.g.: Beatles, Spiderman, etc.)
- Any password that is offered forth as an example
- Permutations of the username
- Family or pet birth dates
- Family or pet names or acronyms built from them
- Hobbies or activities
- Work or school-related information or work/school acquaintances
- Names of places visited or worked
- Important numbers such as social security, phone or account numbers
- Common words from dictionaries including foreign language
- Common dictionary word permutations
- Names or types of favorite objects
- All digits or all the same letter or letter sequences found on keyboards
Guidelines for protecting your password
Safeguard your password: All password are to be treated as confidential information.
Take responsibility: You are responsible for the security of your password, and accountable for any misuse if they are guessed, disclosed or compromised.
University representatives will never ask for your password: It is against University policy for a technology service provider to request a user's password. If someone demands a password, refer the person to this document or have the person call the Help Desk.
Avoid using the "Remember Password" feature: These features, typically used to access secure applications (i.e. email, calendar, financial systems) and Web browsers (i.e. Mozilla Firefox and Internet Explorer), do not adequately protect password. It may be possible for a computer virus or unauthorized user to gain access to this stored information.
Clear the cache of your Internet browser before quitting your browser : Quitting a web browser does not mean that cookies and related files are removed from your machine, so remember to clear the cache before quitting the web browser when you are finished using it unless no one else has access to the computer you are using.
Quit your Internet browser when you are finished using it : When you use your password with a web browser like Firefox or Internet Explorer, it saves the password in memory as long as it is running, so remember to quit the browser when you are finished using it unless no one else has access to the computer you are using.
Report compromises immediately: If you suspect your account or password has been compromised, report the incident to firstname.lastname@example.org or call the University Help Desk at 919.278.7337 to change the password immediately. If you think someone else has your password, you can reset your password right away by logging in to your SacLink account maintenance page at password.csus.edu