spacer
A&S and Trinity College, Duke U.
   Navigation image   
Home > Computing > IT Security > Password Security
 
Computing

 
Guidelines for Setting Good Passwords

  
   

See also
Password Security: A Guide for Students, Faculty and Staff at Duke University

It is easy to break into any account with a ``bad'' password. Such break-ins compromise the whole system, so all users bear the resposibility of choosing good passwords.

  • The best passwords contain a mixture of upper case letters, lower case letters, numbers and punctuation (e.g. ``lap5Dog%'', ``Whoosh2?'', ``sUp*Er8'', ``BIG3pig!!''). The first characters of a memorable phrase - in mixed upper and lower case - with additional numbers and punctionation thrown in make a good password. For example, Mary had a little lamb: ``5Mhall!''
  • A password should be at least six characters long, preferably seven or eight. Anything beyond eight characters will be ignored.
  • Any typeable characters are acceptable.
  • The case of a letter is significant (e.g. ``Sparc'' and ``sparc'' are different. This is generally true in Unix, but it is not true in Microsoft operating systems).
  • DO NOT use anything that can be found in any dictionary (e.g. ``vorticity'', ``encomia'', ``Mervin'' are obscure, but they occur in common dictionaries so they should be avoided). This includes foreign words, slang, jargon, and proper names (e.g. ``sayonara'', ``reboot'', ``Keohane'').
  • Avoid any names, words, numbers or abbreviations that can be found in your personal data (e.g. social security numbers, maiden names, name of relatives, any dates).
  • Avoid passwords that can be ``guessed'' by knowing something personal about you. This includes nicknames, names of pets, names of significant others, anything from your favorite TV show (Trekkies beware!), your favorite book, lines from your favorite songs, etc. (e.g. ``Picard'', ``NCC1701D'', ``Sparky'').
  • Avoid simple variants or permutations of any of the above (e.g. S's replaced by 5's, E's replaced by 3's, O's replaced by 0's, your name backwards, your login name repeated or backwards).
  • DO NOT share your password or write it down anywhere accessible. System Administrators can give you a new temporary password if you forget it. You must change this immediately, using the Unix passwd program.
  • Always use encrypted connections when sending the passwords of your securable Duke accounts (or personal financial accounts) over the Internet (i.e., use SSH (Secure Shell) or SSL (Secure Socket Layer) or the proprietary encryption provided by vendors such as Timbuktu).
  • Use a password different from the one you use for your Duke accounts and financial information when you must connect without encryption (e.g., Blackboard's CourseInfo or Meeting Maker calendaring product) or to an untrusted account (such as a vendor on the Web.)
  • Change your password immediately if you think it may no longer be secret, (e.g., if you have sent it over an unencrypted connection.)
  • DO NOT check the "Remember my password" box in any application. If your computer is stolen or re-assigned without being reformatted, the new user will be able to assume your identity and gain access to your resources.
  • Users who have accounts at other sites should use a unique password for each site, in order to contain the damage done if one of the sites is broken into and its passwords are compromised.
  • Do not use any passwords used in this document !

If you need help changing your password, contact your departmental systems administrator or write to help@aas.duke.edu

 

Questions? Suggestions? Let us know at security@aas.duke.edu

   

  

 

Scope

Definitions

Confidentiality Agreement

Policies

Actions

User rights and legal issues

Education and resources

Duke IT security
     
Arts and Sciences Home Duke University

Search | Directories | Departments | Duke Home | Computing | webmaster@aas.duke.edu | Site Map