Abstract
The password is the most vital part of account security.
This article explains why and how to choose good passwords.
Why you need good passwords
The password is the most vital part of account security. If an
attacker can discover your password, he/she can use your account to
attack systems in or outside CERN, as well as read, modify or
delete all your files.
CERN's Computing Rules require that you protect your accounts
with a good password:
III.11: All accounts must have appropriate access
protection, such as account codes or passwords.
III.12: The user shall take the necessary precautions to
protect his personal computer or work station against unauthorized
access. The user shall also protect details of his personal
account, particularly by avoiding obvious passwords and shall not
divulge his passwords to any third party, unless expressly
authorized by his Division Leader. Upon request from the CERN
Computer Security Officer or the service manager concerned, the
user shall select a new password.
How to choose good passwords
A good password is:
-
private: it is used and known by one person
only
-
secret: it does not appear in clear text in
any file or program or on a piece of paper pinned to the
terminal
-
easily remembered: so there is no need to
write it down
-
not guessable by any program in a reasonable
time, for instance less than one week.
-
longer than 7 characters
-
a mixture of upper/lower case, letters, digits and
punctuation
Here are some hints to help you choose good
passwords:
- Choose a line or two from a song or poem, and use the first
letter of each word. For example, `In Xanadu did Kubla Kahn a
stately pleasure dome decree' becomes
`IXdKKaspdd'.
- Alternate between one consonant and one or two vowels with
mixed upper/lower case. This provides nonsense words that are
usually pronounceable, and thus easily remembered. For example:
`roUtboo' or `quADpop'.
- Choose two short words (or a big one that you split) and
concatenate them together with one or more punctuation characters
between them For example: `dog+F18' or
`comP!!UTer'.
Attackers and programs that can try to break in to your account
know a large number of "frequently used" passwords. Here are some
guidelines to avoid guessable passwords:
-
don't use your login name in any form (as-is,
reversed, capitalised, doubled, with a prefix, with a
suffix...).
-
don't use in any form your first or last name
and, more generally, any information easily obtained about you.
This includes car license plate numbers, telephone numbers,
insurance numbers, the brand of your car, the name of the street
you live on, the name of your spouse or of your children...
-
don't use a word contained in any dictionary
of any language, spelling lists, or other lists of words (acronyms,
sequences of letters like 'abcdef' or 'qwerty', place names, car
names, cartoon heroes...).
Why you must change passwords
Even if you choose a good password, it can still be discovered:
someone may see you typing it or capture it by snooping on the
computer or network. If you accidentally type your password in
place your login name, it may appear in system log files:
joe ttyp9 Wed Apr 28 09:37
XSecret! pty/ttys0 Fri Feb 26 15:15 - 15:16 (00:00)
fred pty/ttys0 Fri Feb 26 15:16 - 14:27 (87+22:11)
For all these reasons you must change your passwords from time
to time. We recommend that you change your passwords whenever
you return from a trip that could have exposed them and with a
minimum frequency of twice a year.
References
For more information, you can consult:
About the author(s):
Lionel Cons is a member of the CERN security team (Computer.Security@cern.ch).
