Carnegie Mellon University School of Computer Science

Security: Passwords

A word about password security:

It is very common for intruders to attempt to break-in to systems (both Unix and Windows) at SCS by trying to guess people's passwords. Sometimes they succeed, and when they do it is often because people chose very poor passwords, such as "password", or "administrator", or a password that is the same as the user name. These break-ins can result in a significant amount of downtime, lost work, and loss of privacy (for example, if there is are social security numbers or other personal data on the system).

Intruders also may install keyboard sniffers that let them gather additional passwords and put more machines at risk. They can also conduct dictionary attacks against a host's password database, and try thousands of potential passwords per second.

What not to do when choosing a password

  • Do not re-use passwords. SCS accounts have been broken into because the password for their SCS account was the same as that for a site whose password database had been compromised (e.g. LinkedIn, Adobe, etc).
  • Do not choose a password based upon personal data, such as your name, your username, or other information that one could easily discover about you from searching the internet or knowing personal information about you.
  • Do not choose a guessable password. Guessable passwords include words (English or otherwise), proper names, names of TV shows, the account's user name, keyboard sequences, and anything else that one would expect a clever person to put in a "dictionary" of passwords.
  • Do not choose a password that is a simple transformation of a word, such as putting a punctuation mark at the beginning or end of a word, converting the letter "l" to the digit "1", writing a word backwards, etc. For example, "password,123" is not a good password, since adding ",123" is a common, simple transformation of a word.
  • Do not choose passwords less than eight characters long or that are made up solely of numbers or letters. Use letters of different cases, mixtures of digits and letters, and/or non-alphanumeric characters. Eight characters is a minimum length. Using passwords of ten or more characters is more secure.

The best method for choosing passwords

The single best method for generating passwords is to do the following:

  1. Make up a sentence you can easily remember. Some examples:
    • I have two kids: Jack and Jill.
    • I like to eat Dave & Andy's ice cream.
    • No, the capital of Wisconsin isn't Cheeseopolis!
  2. Now take the first letter of every word in the sentence, and include the punctuation. You can throw in extra punctuation, or turn numbers into digits for variety. The above sentences would become:
    • Ih2k:JaJ.
    • IlteD&A'ic.
    • N,tcoWi'C!

As you can see, the passwords generated by this method can be fairly secure, but are easy to remember if the sentence you pick is one that is easy for you to remember. In cases where an application allows long passwords, you could possibly use the entire phrase as your "password".

Another password selection method

If you don't wish to use the above method, the following method also generates "reasonably" secure passwords (though not quite as good as the method above) that may be easier to remember:

  1. Choose two or more unrelated words such as:
    • unix & fun
    • book & goat
    • august & brick
  2. Join the words with a non-alphabetic character or two.
  3. Make at least one change (for example, uppercase a letter or add another character) to one or more of the words (preferably not just at the very beginning or end of the password).

Some example passwords generated using this method:

  • unix+PhUn
  • bo!ok29goat
  • august,=bRICK

How long does my password have to be?

In general, the longer a password is, the harder it is for somebody to guess or brute-force it. Password selection trades off security with convenience and the ability to remember it. Eight characters should be the absolute minimum length. SCS Kerberos passwords may be of practically unlimited length (the limit is at least several hundred characters).

In a Windows environment, there are may be security advantages if your password is 15 characters or longer.

Can I write my password down?

You should avoid writing down your password or giving it to others. You should especially avoid writing it down and leaving it in a non-secured place such as on a post-it on your monitor or a piece of paper in your desk. If you absolutely must write something down, we suggest doing the following:

  • Don't write down the entire password, but rather a hint that would allow you (but nobody else) to reconstruct it.
  • Keep whatever is written down in your wallet or other place that only you have access to and where you would immediately notice if it was missing or someone else gained access to it.

Encryption & password security

Whenever you use the SCS network, you should assume that somebody could be eavesdropping on the packet data that you send and receive. For that reason, whenever you are transmitting sensitive data, such as passwords, over the network, you should use some form of encryption to protect your data.

Some types of connections that are encrypted are:

  • SSH connections and traffic that is tunneled through an SSH connection.
  • SSL-encrypted web browser connections (i.e. URLs beginning with https: and where your browser does not display a warning.)

The following types of connections are not encrypted:

  • Non-Kerberized telnet connections.
  • Ordinary POP3 connections.
  • IMAP connections that don't use TLS or some other type of encrypted connection.
  • Ordinary FTP connections. If you want to securely copy files to/from a machine, use scp or sftp.
  • X11 traffic, unless that traffic is tunneled through an SSH connection.

For remote logins: Use SSH for logging into remote hosts over the network. This will protect your network traffic from being snooped in transit.