Choosing Good Passwords
Change your login password for each of the Rice University systems you access before the semester begins.
Recently, unchanged passwords led directly to several Rice computer work station break-ins. These passwords had either not been changed in the past year or --in some cases-- never changed at all.
How can unchanged passwords lead to a security breach?
Whenever campus systems become compromised, the attackers collect passwords used or cached in the hacked systems. They utilize these newly acquired passwords to attack other campus systems. When successful, they grab the passwords from these new systems and continue to attack campus computers with an ever-increasing list of passwords. Rice has never forced password changes, so a compromised or "stolen" password file/list can be valid for years, giving attackers more and more chances to find new systems to attack. Changing passwords regularly helps mitigate security risks.
What does a security breach mean to me?
You may be unaware that security break-ins significantly impact the Rice community's productivity and affect our network, servers, and systems. These high priority incidents draw heavily upon IT staff resources and time, which in turn impacts regular, day-to-day IT customer support. Please change your NetID password and any other passwords you utilize on Rice computers as you prepare for the start of classes. Changing your password on a regular basis is one of the easiest ways to protect your digital assets. The Rice IT Security Office recommends changing your password at least twice a year.
Remember, your password(s) protect your digital life at Rice - keep it secure.
NetID password changes can be made on the apply.rice.edu
web site:
http://apply.rice.edu/
Thanks for helping make Rice safer for your computer, your identity, and your data.
Choosing a good password should be considered a critical aspect of securing systems. Insecure and / or shared passwords account for the majority of recent compromises on and off campus.
One of the best ways of coming up with a good, complex, hard to guess password that is still relatively easy to remember is to start with a phrase you can remember, like:
"Remembering a long and complex password doesn't have to be difficult."Taking the first letter of every word in the phrase while preserving case and punctuation we get:
Ralacpdhtbd.This would be considered a pretty good password, based on the criteria listed below. Its relatively long (12 characters), it contains three of the four types of characters (uppercase letters, lowercase letters, and punctuation), it is not a word or name, and it is memorable – if we remember the phrase to generate it. To make it even more secure, characters can be added or replaced with numbers or other characters. For example, if we replace the first vowel (a) with a number or character, we get:
R@lacpdhtbd.So, using a phrase that you can easily remember, you can create a very good and complex password. Now that you have a good password, remember the following tips to avoid it getting out to the wrong people:
- Don’t write it down.
- Don’t share it with anyone.
- Do change the password regularly – every six months or so. (HINT: Change your password when you change your clocks for Daylight Saving Time.)
- Do change the password if it is shared or if you think someone else may know it.
More Information
Good Passwords Are:
- Complex
Passwords can (and should) contain more than simple lowercase letters. A combination of uppercase and lowercase letters, numbers, and punctuation marks make passwords harder to guess.
- Long
Generally, the longer the password, the harder it is to crack. A bare minimum password should be eight characters, but the recommended length is over twelve.
- Not Found in a Dictionary
Hackers use password crackers that throw many different passwords at accounts using different kinds of attacks. One kind of attack uses a “Dictionary File”. These “Dictionary Files” contain literally hundreds of thousands of dictionary words, names, and simple permutations of each. For example, one attack might try to use ‘password’ in its attack. A good attack would try permutations as well, like p@ssword, password1, etc.
- Changed Regularly
At a minimum, passwords should be changed every six months. Depending on the type of system and the level of rights being accessed, it may need to be changed even more frequently. (Remember: Change your password when you change your clocks for Daylight Saving Time.)
- Memorable
The password you choose should be memorable to you. You should not choose a password that you have to write down to remember.
Rice University Information Security Office
http://www.rice.edu/it/security/index.shtml
security@rice.edu
