Password Security & Best Practices

The need for password security

This year you will most likely not be the victim of a violent crime, have your house burgled, or your car stolen. But you might. Because of this, you are likely to take reasonable precautions to protect yourself and your property.

Research has shown that the same is true of the Internet. Unlike what the popular press would have you believe, if you are an Internet user, this year you are most likely not going to be the victim of an Internet security attack. But you might. Because of this, you should take reasonable precautions to protect the files on your computer, and to protect your data as it transits the Internet.

Information security is everyone's responsibility. Computer systems at Rhodes are used by a variety of people for many things, some of them very important. Passwords are a pain, but so is locking your house or fitting burglar alarms to your car. Remember, the paper, thesis, confidential document or newly set examination papers that get trashed or spread all over the Internet could be yours. Remember too that your username and password allow you to perform real financial transactions, such as buying printing credit (this is particularly true in the case of students).

Passwords help ensure that the account owner alone can gain access to information, by using his or her unique account. Any activity generated by a particular account is the responsibility of the individual to whom the account has been assigned. It is very important that individuals protect their account by following good password practices.

As we become more dependant on computers, and in particular the Internet, in our day-to-day activities the need for good password security increases. Most people respond to requests to secure their passwords with something along the lines of "why should I bother; I don't have anything to hide". Yet these same people would be appauled if someone used their Internet banking service to empty their bank account, or their credit card details to purchase things off the Internet. These days, if you use a computer that is connected to the Internet, password security is very important and is something that should concern you.

Do's and Dont's of passwords

In 2000, the CERT (Computer Emergency Response Team) claimed that 22% of all security incidents reported to them involved problems with passwords. In 2004, a survey showed that 70% of people would reveal their password for a bar of chocolate (a result that was repeated in 2008). Clearly there's a need for people to be aware of how to protect this valuable part of their online identity.

Use these guidelines when deciding what password to use and how to keep it secure:

• DON'T use a password that you are using for some other purpose, such as your PIN at the bank or your password to another system. Select a unique password for each system or service you access.
• DON'T repeat passwords. Change your naming convention regularly.
• DON'T use your login name in any form (as is, reversed, capitalized, doubled, etc.).
• DON'T use your first, middle, or last name in any form or use your spouse's or child's name or the name of your boy/girl/personfriend, relative, dog, cat, hamster, or budgie.
• DON'T use other information easily obtained about you. This includes license plate numbers, telephone numbers, identity or passport numbers, the make of your automobile, the name of the street you live on, etc.
• DON'T use any name, even of imaginary characters in a book, TV show or movie — if you've read or seen it, it's in a crackers wordlist somewhere.
• DON'T use a password of all digits, or all the same letter, or based on the position of keys on a computer keyboard, or one based on the time of day. These dramatically reduce the number of combinations that need to be tried in a brute force password attack.
• DON'T use a word or place name contained in any English, Afrikaans, Xhosa or foreign language dictionaries, spelling lists, or other lists of words. Plurals are no good either, neither is a word with a numeral on the end or substitutions of "1" for "i" or "l" and so forth.
• DON'T use a password shorter than six characters. A minimum of eight characters is recommended in order to complicate the decoding process of a packet sniffer.
• DON'T hardwire your password into the configuration files of any scripts or programs you run, for example email clients.
• DO avoid the obvious — if you can't, spell it badly.
• DO use a password with mixed-case alphabetics.
• DO use a password with non-alphabetic characters (digits or punctuation).
• DO use a password that is easy for you to remember or reconstruct, so you don't have to write it down.
• DO use a password that can be typed quickly.
• DO change your password if you have visited another city or campus and logged on from a system there.
• DO change your password if you have had the same password for more than six months.

Choosing a secure password

A good password should make sense to you, but to you alone.

Passwords should be at least six characters long. This is a break-even point, the longer the password the more effort required to crack it but the more errors you may make typing it in.

A random sequence of letters, numbers and punctuation characters would be unbreakable but hard to remember.

Bits of more than one word joined by punctuation (eg "mst+hin" from grahaMSTown rHINi).

Use the initial letters of some personally memorable phrase, the first line of a poem or song, perhaps reversing the order. For example 'Rhodes University - Where Leaders Learn' giving "llw-ur" as your password — totally unguessable until used as an example in this document!

Good password practice

Don't use the initial password you were given when your account was created. Change this password the first time you log in.

Don't leave your computer logged on to any session if you leave your work area; lock your screen if you have to.

Avoid logging in with someone looking over your shoulder — they could read your password from the key-strokes.

Also, try to change your password in a public lab or on computer that only you have access to — don't use your friend's computer. It is possible to load a 'password grabber' onto a PC which reads your password as you type it in.

If you think your password may have been compromised change it as soon as possible. If in doubt contact the help desk in the IT Division and we will arrange that your password is changed. If you are not going to use your account for some time, set the password to gibberish and have it reset by us when you wish to use it again.

Don't loan or share your password with other people. This in any event would be a contravention of the Rhodes University Acceptable Use Policy. Neither should you write it down on a piece of paper that will inevitably be left lying around. Keep it a secret — from everyone. You are the only one who should know your password. You should tell no one — not your roommate or friends, not your co-workers or colleagues, not your assistant or your system administrator, and not the person who is helping you solve a computer problem. Remember that giving your password to someone is like giving them complete, unrestricted access to your bank account.

No one in the Information Technology Division should ask you for your password; and no IT Division support consultant should ask you to tell them your password. If someone does ask you for your password, do not tell them what it is.

Note that, for your own protection and to indemnify the University, passwords will only be reset or changed on your behalf when you produce in person, proof of identity.