Skip to Content

Password Guidelines

The password to your computer account or username is your "key" that confirms your identity to the computer's operating system. If someone guesses your password, steals it, or deciphers it in some other way, he or she can log into your account and have the same privileges that you do; for instance, the privilege of removing all your files. You can avoid being a victim of account vandalism by choosing a good password, keeping it a secret from others and changing it often.

Normally, it is difficult to break a well-chosen password. However, if you choose a poor password, it may be easy to break into your account. Password breaking programs usually first try a number of simple methods to break poorly chosen passwords. Then, if those don't work, they try the "brute-force" method, which takes much longer and stands a good chance of being detected before it succeeds. Therefore, if you choose a good password, you can minimize the chance of having your account broken into.

Even hard-to-break passwords can be broken if a brute-force method has enough time. You should immediately change the assigned password that comes with a new account to a new one that follows the guidelines listed in this document for choosing good passwords. You should change your password every 60-90 days thereafter.

Please read the following guidelines carefully. If your password is not a good one, change it by using the system command appropriate for the computer or network on which you have an account or username.

DO use a password at least six characters long. It is preferable to select a password of seven or eight characters.

DO NOT use a password that can be found in a dictionary, including words from other languages. Both English and foreign language dictionaries are available in electronic form. These on-line dictionaries provide one of the easier ways to break passwords. Do not use inverted dictionary words because password-breaking programs commonly try them.

DO make your password "interesting" by including at least one case change, digit (0-9), or punctuation mark:

    ! @ # $ % ^ & * ; :  . , < > ( ) / ? ' " \ | `

DO NOT use proper names, including your own first or last name, your friend's name, the name of your pet cat, or your street address . In other words, do not choose a password that someone can guess because they know something about you, especially if it is information they can obtain from a public source such as a telephone book. This includes any permutation of your account or proper name. Password breaking programs commonly try these permutations.

DO NOT use names that can be attributed to CSUS, i.e., Hornet, sacstate, etc.

DO NOT allow other people to see you typing in your password.

DO choose a password that is easy to type. The faster you can type the password, the more difficult it is for someone to steal it by watching you.

DO NOT write your password down where someone else can find it. It is much better to pick one you can easily remember.

DO NOT tell other people your password no matter how much you may trust them.

DO change your password every 60-90 days (more frequently if your account has access to sensitive information).

DO NOT share your account or username with others. With few exceptions, accounts are issued to individuals for specific purposes and are not to be shared. If you are a student, faculty or staff member you can have your own account. Departments should keep shared or group accounts to a minimum. Unauthorized individuals can gain access to your account without you being aware or suffering from any damage. Vandalism can then be done from your account.

DO change your password immediately if you suspect that an unauthorized user has access to your account. If you do suspect the activities of an intruder, contact the Help Desk, ARC 2005 or call x7337.

DO NOT give your password to someone over the telephone. If UCCS personnel are assisting you with a problem, they probably don't need your password. Also, as a matter of policy and procedure, UCCS personnel will not release passwords over the telephone.

You may be thinking, "If I follow all these rules, how will I choose a password I can remember?" One way is to concatenate two (or preferably more) short words together and throw in a case change, digit or punctuation mark to make it hard to crack. Even with this technique you should avoid using phrases people may associate with you. For example, PnkFloyd75 may be a good choice based on the rules above, but someone might guess it if they know you are a big fan of the rock group Pink Floyd.

A better method is to use the first letters of a phase for your password. For instance, the phrase "to be or not to be?" could yield tbontb? for a password. You should pick a phrase that someone who knows you wouldn't guess easily. You should not use any of the passwords mentioned in this document, even if they might otherwise seem reasonably secure.

Last Updated: February 20, 2006