Login

Teaching & Research

Home > Teaching & Research > Computing > Advice > Passwords

Choosing a Password

This article originally appeared in Edition 224 of the Computing Service Newsletter.

Password? What password?

Password protection on individual machines has become a vital part of defence against hackers and intruders. One of the commonest contributory causes of recently hacked machines has been nonexistent or weak passwords.

All computers, whether shared or personal, that are attached to the College or University network must be protected by strong passwords, as well as being up to date with all software updates and anti-virus software. Strong passwords are essential both on administrative accounts (which in the case of a Windows box may well arrive on your desk with a blank password) and on any user accounts that you set up.

If you don't know how to set passwords, a security CD available from the Computer Office provides an easy way to do it.

Passwords are necessary in order to protect your computer and the information on it from:

• attack by remote hackers (i.e. by people who you do not know and who do not have physical access to the computer)
• local (physical) access and targeted remote intrusion (possibly by people with an interest in the data on your particular system or in access to your computing accounts on other systems)

The need for security is the same whether the computer is for single personal use, for group use or for providing a public service. Even if the computer is locked in a room with controlled access, as soon as it is attached to a network it is in danger of being hacked and used to attack other machines in Cambridge and elsewhere.

The effectiveness of a password varies with the type of attack, and it is important that, as far as possible, a password should protect against all of them. For example, writing a complicated password on a piece of paper and attaching it to your screen is very likely to be secure against remote hacker attacks but not against local attack. Those attempting targeted attacks may be less ingenious than remote hackers using, for instance, dictionary searches, but may be able to use knowledge of you or of your role to guess likely passwords.

It is essential that the password protection on a computer should be adequate and practical for all users. How would someone gain access to my computer? If the hacker is not known to you, then he is most likely to try guessing passwords. His first attempt will be to try a blank password on standard user names such as 'root' (Unix), 'guest' or 'administrator' (Windows). If this fails, the next easy guess is to see if the password is the same as the account name (it is easy for a hacker to find account names on Windows systems). On a Unix-based machine, a typical attack is to guess that user names are simple first names and that the password is the same as the username. If the hacker is determined to get access to your machine then he might try to use a 'dictionary attack', on the standard user names. If you have strong passwords, your computer should be resistant to this type of attack.

Specifically targeted attacks are very much rarer, but to protect yourself against these you should choose a password that cannot be guessed from knowledge of you, your role or your organisation, keep it safe, and never let anyone know what it is.

Why does anyone want to hack into my computer?

A remote hacker is not usually interested in your email or personal data, but may be interested in one or more of:

• Access to a high speed network with plenty of bandwidth and perhaps the storage capacity of your computer; often an FTP server is installed followed by 'warez' (pirated music, films and software) for 'friends' to share. Note that if illegal pornography is shared from your computer then you may be liable for criminal as well as civil action.
• Control of a system that can be used later, perhaps for denial of service attacks, as a relay to send spam, or as a base for attacking other systems in the same domain

Typically, the first thing that you will notice if your computer has been successfully hacked is that you are told that it has had high traffic levels or that it must be or has been disconnected from the network until it has been investigated.

If someone local gains access to your accounts, it is usually a more individual matter; the intruder may be seeking any of the above but may also want access to your email or data, or to your passwords on other systems of interest - or merely to embarrass you or your organisation.

Strong passwords

For many years there was an effective limit of eight characters for passwords on most systems. This no longer applies to most modern systems, which typically have much higher limits (note, however, that the PWF Macintoshes can at present only handle up to eight characters). Because of the way some Windows software handles passwords, there is a considerable security advantage in having passwords of 15 or more characters on Windows machines. On many systems, including modern Windows systems, it is possible to use full sentences (passphrases), which helps with memorability. Use a mixture of upper and lower case letters (uppercase on more than just the first letter), as well as at least two digits or punctuation characters. Recommended techniques for inventing a strong password you can actually remember include:

• a pair of unrelated words with punctuation inserted, or a full sentence which is nonsense or is not obvious to anyone but you
• the initials of two or more friends (unrelated), with punctuation inserted
• the first letter of each word in a phrase or song title, with mixed case, punctuation and numbers
• alternating one consonant and one or two vowels, to create a nonsense word which you can pronounce, and perhaps including this nonsense word in a longer phrase.

Weak passwords

The following types of password should be avoided:

• null (blank) passwords
• passwords of fewer than eight characters (preferably go up to 15 or more wherever possible)
• simple sequences such as qwerty, letmein, welcome, hello, the name of your department or group
• long passwords which are obvious sentences or well-known quotations
• anything you would find in a dictionary (in any language or jargon), or any dictionary word slightly modified (e.g. by adding a number to the end, or changing the letter l to the number 1)
• any name (including that of a partner, parent, child, pet, literary character, famous person or place)
• any variation (e.g. backwards, or followed or preceded by a digit) of your own name, your Cambridge user identifier, your username on any other system, your birthday or car registration number or any other personal information
• any small variation on your existing password
• your password on another system

How can I remember my passwords?

Most people have many passwords and PINs to remember, calling for a difficult compromise between memorability and unguessability. The best advice is never to write down a password or record it on a computer system, and never to use the same password on two different systems, but for many people this is impractical. Some suggestions for making strong passwords memorable are above. If you cannot manage unrelated passwords on all the systems you use, minor variations are at least better than having identical passwords. If passwords must be written down, they should be kept in a non-obvious form; if you store them on a computer system then you should encrypt them or protect them by another (strong!) password.