Password Selection Guidelines

This file contains the following information on selecting a password:

  • Why you need to be careful with your password
  • Do's and Don'ts for selecting a password

    • Why should you care about compromising your password?

    A compromised password can easily be used in ways that you are unlikely to notice, such as remote authentication to AFS. Keep in mind that a poorly chosen password not only places all of your own files and data at risk but also places your colleagues and co-workers at increased risk by allowing an outsider to masquerade as you and avoid all restrictions normally in place for external access to the environment. Thus, it is never reasonable to keep an easily guessable password on your account simply because you are willing to personally take the risk.

    And the risk of compromise is real: Given enough time, any password can be found simply by trying all possible combinations. For example, an all lower case 6-character password can be found in about 4 days by brute force search on a machine that can try 1000 passwords per second.

    However, for well-chosen passwords a brute-force attack is still infeasible even using today's fastest computers, as long as you change passwords from time to time and as long as you follow a few basic guidelines. The following tips come from "Improving the Security of Your UNIX System" by David Curry, SRI International, ITSTD-721-FR-90-21. Please note that Kerberos passwords are not limited to 8 characters.

    Do's and Don'ts for selecting a password

  • Don't use your login name in any form (as-is, reversed, capitalized, doubled, etc.).
  • Don't use your first or last name in any form.
  • Don't use your spouse's or child's name.
  • Don't use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
  • Don't use a password of all digits, or all the same letter. This significantly decreases the search time for a cracker.
  • Don't use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.
  • Don't use a password shorter than six characters.
  • Do use a password with mixed-case alphabetics.
  • Do use a password with nonalphabetic characters, e.g., digits or punctuation.
  • Do use a password that is easy to remember, so you don't have to write it down.
  • Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.

    • Although this list may seem to restrict passwords to an extreme, there are several methods for choosing secure, easy-to-remember passwords that obey the above rules. Some of these include the following:

  • Choose a line or two from a song or poem, and use the first letter of each word. For example, ``In Xanadu did Kubla Kahn a stately pleasure dome decree'' becomes ``IXdKKaspdd.''
  • Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that are usually pronounceable, and thus easily remembered. Examples include ``routboo,'' ``kuadpop,'' and so on.
  • Choose two short words and concatenate them together with a punctation character between them. For example: ``dog;rain,'' ``book+mug,'' ``kid?goat.''

    • Finally, you should avoid using the same password in multiple administrative domains. This minimizes the damage if the security of one of those domains is compromised. For example, it is common for crackers to accumulate login names and passwords for individuals on one machine and to then look for identical accounts on other machines that these people might use. If you have accounts elsewhere on the Internet you should use a different password than you use at CMU. This protects you from a breach of security at an external site, which you may never even find out about.

    You should also use different passwords within the distinct CMU administrative domains (e.g. SCS, SEI, Andrew, ECE, etc.) and even within different SCS computing domains that employ distinct authorization mechanisms. Thus your SCS Kerberos password should not be the same as a password you use for accounts maintained outside of SCS, nor should it be the same as the password you use for non-Kerberos machines within SCS.

    For help with any facilities-related problem, or if you have questions and comments regarding Facilities documentation, please send mail to help+doc@cs.cmu.edu