HOW TO CHOOSE A BAD PASSWORD ---------------------------- Now that you have an account on a computer you will have to choose a password for that account. Your password protects your work on the computer just as a PIN protects your money in the cash machine. There are good passwords and bad passwords. A bad password can allow someone else to get into your account and read your files, or even delete or alter your work. I'm assuming that you don't want someone else to do that, but if in fact you do, then here is how you can make it easier for them by choosing a bad password: 1. Make it really easy and use your computer userid, or your name as your password. That's what all good computer crackers try first. 2. If you don't like that, use your nickname, your middle name, your student ID number, your phone number, your birthday, or other information about you that anyone can get with a student directory or the finger command. 3. Use the name of your girlfriend/boyfriend, spouse, pet, or child. [If you have seen the film "War Games" you may remember that the password to the supercomputer was the name of Professor Falken's son, Joshua.] 4. Use words or names from Sci-Fi or fantasy books or movies. Computer nerds love these so they are easy to guess. If you use names from literature or ancient mythology you will keep the geeks out and let in only the well-read crackers. 5. If you want to make them work only a little bit harder, use a dictionary word. Now that there are on-line spelling dictionaries it is easy for someone to write a program to try all of these until they get the right one. It's slow, but it works eventually. Now, if you don't like the idea of someone getting into your account and reading your e-mail or deleting your files, then here are some guidelines for choosing a *good* password: 1. The best password is a mixture of letters, numbers, punctuation and special characters. The more complex and random it is the harder it will be for someone else to crack. Of course it may also be hard for you to remember, so you should try to choose a complicated password which is also relatively easy for you to remember, but hard for someone else to guess. 2. Use at least 6 characters in the password. Shorter passwords are easier for computer programs to guess. Newer versions of Unix require that you use at least 6 characters in a password, and that at least one of them not be a letter. But remember that Unix passwords are only 8 characters long -- any extra characters are simply ignored. 3. Just adding a number or punctuation mark to a word can make a password a bit more secure, but if it's a dictionary word then this will probably not enough. One well known cracking program easily caught the password "offbeat1". A better combination would be "off1beat". 4. Use fragments of words mixed in unusual ways that would not be found in a dictionary, or take a compound word and swap the pieces in an unusual way. The password just suggested above is even better if you swap the first and last parts. 5. Obscene words are generally not good passwords, even though they are not in on-line dictionaries, because many cracking programs check for these separately. 6. Take a word and substitute a symbol or number for one or more letters. But be unusual. Many cracking programs already know enough to try a "$" in place of an "S", or a "1" in place of an "I" or "L". It's better to just insert punctuation or special characters at random in the middle of a word. 7. One way to make a good password is to take the first letters of a phrase you can remember. Use a poem you like, a song lyric, or a quotation you can remember -- the more obscure the better. This produces a sequence of letters which you can remember, but which nobody else can easily construct, nor remember if they see it. 8. Another way to make a password is to interleave two words, or a word and a number. For example, mixing "July" and "1776" gives "J1u7l7y6". (But that's a bad example, because it's a well known date -- use something more obscure.) 9. OLD car license numbers (or aircraft "N" numbers) make good passwords, but the license number of the car you are driving now could be easy for someone else to guess. "NCC-1701" is not a good password -- too many crackers watch Star Trek. 10. Words from other languages are better than English dictionary words, but can still be cracked if the cracker has an on-line dictionary in that language (many are easily available). Applying some of the tricks mentioned above to foreign words can lead to a good password, as long as you can still remember it. Here are some guidelines to help make your passwords more secure: 1. Change your password often. Even if someone cracks the system password file, the password they obtain is not likely to last long. It can be hard to remember to do this, so use something else to remind yourself. If you change your password once a month, do it at the beginning of the month when you pay your bills, or change it every time you have a math test. Change it at least once every term. Some computers have "password aging" which forces you to change your password often. This is good as long as it's not often enough to be annoying. 2. Never give your password to anybody. The computer center staff don't need to know it, and in fact they can't find out what your password is (without running a cracking program themselves!). If you get e-mail from someone asking for your password so that they can trap a cracker, then they are probably a cracker themselves. Report it to the computer center. 3. If you think someone might have seen you type in your password, change it as soon as possible. On any Unix computer the command to change your password is `passwd` (though check for local variations). 4. If you can avoid it, don't write your password down. If you do have to write it down, don't label it. If someone sees "xyzzy" in your notebook they may not know what it means, but if they see "my password is xyzzy" they will. [And by the way, "xyzzy" is a magic word from a computer game, so it's not a good password.] 5. If you work on more than one computer and they don't share a common password file, use different passwords on different machines. Then if someone breaks into one computer they still can't get into the other. 6. Use private information known only to you when you construct your passwords, not public information which other people are able to find (no matter how unlikely you may think it would be that they would find it -- if it is publicly available don't use it). 7. Never send a password through e-mail. Electronic mail is not as secure as you might think! If you have to send someone a password, use regular ("snail") mail or fax. Finally, if you want to read a good (and true!) story about computer crackers, foreign spies, and even a famous security bug in emacs (now fixed), then I recommend "The Cuckoo's Egg" by Cliff Stoll. Eric Myers | Last revision: Department of Physics | $Date: 1997/01/19 23:59:48 $ University of Michigan, Ann Arbor, MI | $Revision: 2.7 $