Home » Secure Computing » Passwords

Passwords

Introduction

Passwords are too often the weakest link in computer security. Passwords must be kept secret and made hard to guess.

Stanford now recommends "pass phrases" instead of passwords. Pass phrases are longer, but easier to remember than complex passwords, and if well-chosen can provide better protection against hackers.

Safeguarding Your SUNet ID

Safeguarding your online identity is critical to the protection and integrity of Stanford's information. First of all, Stanford recommends a unique and separate password for your SUNet account.

You must never allow anyone else to use your Stanford user IDs and passwords for any reason. Stanford's policies do not permit sharing your online identity with anyone, even to allow them to take action or access information on your behalf.

Best Practices

• Choose an excellent password or pass phrase (see below)
• Never ever share your passwords
• Use different passwords for different accounts (e.g., Facebook password should differ from bank account password)

About Pass phrases

A pass phrase is basically just a sentence, including spaces, that you use as a "password." Pass phrases are longer, at least 20 characters (including spaces) in length. Even longer pass phrases are (30 or even 40 characters) are better because, though pass phrases might seem simple, the increased length removes the effectiveness of standard password-cracking programs.

Mask the simplicity by throwing in weirdness, nonsense, or randomness. Consider passphrases like these candidates:

• pizza with crispy spaniels
  
• mangled persimmon therapy

Add unusual punctuation and capitalization:

• Pizza with crispy Spaniels!
  
• mangled Persimmon Therapy?

Toss in a few digits or symbols from the top row of the keyboard, plus some deliberately misspelled words, and you'll create an almost unguessable key to your account:

• Pizza w/ 6 krispy Spaniels!
  
• mangl3d Persimmon Th3rapy?

Pass phrase hints:

• If your pass phrase is based on a well-known slogan, expression, song lyric, or quotation, be sure to customize it with misspellings, bad grammar, invented words, deliberate typos, or oddly placed keyboard symbols.You can learn more ways to mix up words using the tactics outlined in the Creating better passwords section, below. Make it easy to type quickly!
• Your pass phrase should never contain information that that can be deduced from your personal information,such as Social Security numbers, telephone numbers, credit card numbers, birth dates, or your SUNet ID. Instead, rely on a phrase that has enough meaning to you that you'll remember it easily--then mix it up.
• Try to avoid phrases composed of common, smaller words like "My dog has long toes." The many small words give a password cracking program a slightly better chance of deciphering it.

Note: Don't use the examples shown above.

Creating better passwords

• Longer passwords are better passwords.The more characters a password cracking program has to crunch, the harder it is to guess.
• Remove all the vowels from a short phrase in order to create a new "word."
  Example: llctsrgry ("All cats are gray")
• Use an acronym: choose the first or second letter of your favorite quotation.
  Example: itsotfitd ("It's the size of the fight in the dog")
• Mix letters and non-letters in your passwords. (Non-letters include numbers and all punctuation characters on the keyboard.)
• Transform a phrase by using numbers or punctuation.
  Examples: Idh82go (I'd hate to go), UR1drful (you are wonderful).
• Avoid choosing a password that spells a word. But, if you must, then:
  • Introduce "silent" characters into the word. Example: va7ni9lla
  • Deliberately misspell the word or phrase. Example: choklutt
  • Choose a word that is not composed of smaller words.
• Add random capitalization to your passwords. Capitalize any but the first letter.
  Example: eIeIoH!, o.U.Kid
• Change your password at least once every six months.

Avoid passwords like these:

• Passwords based on a dictionary word spelled backward (drofnats).
• Passwords based on two dictionary words in a row (dogdog).
• Passwords based on the person's login name.
• Passwords that are all white space.
• Passwords that contain control characters.
• Passwords that are all numbers.
• Passwords followed and/or preceded by 1 or 2 characters (9cheval, cheval9, 99cheval, cheval99, 99cheval99 etc.)
• Passwords with several repeating characters (aaaaaaaa or aaaabbbb or abababab).
• Passwords that do not have more than four characters that differ from the previous character by one (1234abcd).
• Passwords with license plate patterns (daaaddd) (where 'a' is an alphabetic letter and 'd' is a digit).
• Passwords with social security patterns (dddsddsdddd).
• Passwords with phone number patterns (dddsdddd or dddsdddsdddd).