Search:
  University Web Sites
  Camden Web Sites

  Computing
  Services:
  About Us
  FAQs
  Office of Information
    Technology (OIT)
  Lab Reservations
  Smart Classrooms

  Jump to:
  Camden Campus
  Camden Web Mail
  myRutgers Portal
  RU Libraries
  RU Main

  Questions
  Comments

Camden Computing Services
  SupportStudentsFaculty and Staff_

Printer Friendly

S50-1037_password.html ( kerberos password ) (06/23/00)

Choosing a Secure Password You Can Remember

CS Information Document Sun/Unix                                                                                                                               (updated 10/19/04)

Hints for selecting a memorable, but not easily guessed, password are included in this document.

Introduction

Rutgers University has a program which will reject a password it considers too common or too easy to guess. Its purpose is to encourage choosing passwords which cannot be easily guessed by someone meaning to do you or your computer files harm. Here's why.

Crackers at Work

Today's computer hacker, a cracker, uses sophisticated means to break into computer accounts. One of the more common means is to try passwords which are somehow related to you, the owner of the account. Rather than trying random characters, a cracker may begin his attack by trying your username, your initials, your spouse's name, the characters on the license plate of your car, or some word which is commonly associated with you by people who know you well--for example, your favorite ice cream flavor. If the computer system provides information about yourself that the cracker can see (your telephone number, your address, or your amateur radio call letters), he may test these items to see if you're using any of them as your password. Another common method used by crackers involves a methodical search of words found in a dictionary.

Foiling the Cracker

Any intelligent password setting program, including ours at Rutgers, will attempt to keep you, the owner, from setting your password to any of these frequently used pieces of information. Our program will not allow you to choose, as a password, anything that contains any 4 consecutive characters from your name or IID (your initials). In fact, it won't even let you choose a word fragment of 4 or more letters or strings of characters found in system files known to contain personal information about you. And, it checks for the spelling of these things--both backward and forward!! (The specific guidelines are included in the Rules section below.)

Selecting a Password

Whew!!! So, how do you go about selecting a password that (a) you can easily remember (b)will pass muster, and (c)you won't need to write down on paper? The answer is quite simple. You need to develop a scheme by which you generate non-word passwords. Choosing a word to use is just one way to pick a password. And because this method of choosing passwords is so prevalent among computer users, it is also the method most crackers will use when attempting to break into your account. Once you have developed an an alternative method of generating passwords--your own private password generation scheme--you can easily and always reproduce your existing password and produce new ones whenever you decide or need to do so.

Rules

A successful password adheres to the following guidelines:
  • A password must contain at least 6 characters and not more than 8 characters.
  • A password must include characters from at least 3 character classes(es).
    • (Classes include upper-case, lower-case, numeric, punctuation, and special characters).
  • A password must not match the 5 previous password(s).
  • A password must not contain any 4 consecutive characters from your IID (initials) or finger entry, or from the contents of your .plan, .project, .forward, .qmail, or .signature

Suggestions for Password Creation

In general, stick to items you have known (or should know!) over a period of years. Trying to remember the initial letters of your favorite song may be difficult if your favorite song changes on a weekly basis! Using your current license plate number is not a good idea, since anyone who knows what car you drive could make a note of your license number and try it as a possible password.

The suggestions which follow use combinations of letters (Upper and lower case),numbers, punctuation, and special characters.

>Use the initial letters from an easily remembered phrase, interspersed with numbers. For example, IPA95ttf ("I pledge allegiance to the flag", with a graduation date in the middle.) You need to mix capital letters with lower case.

>Combine the initials of someone you know well (not your own) and a date associated with that individual (birthday, anniversary, etc.) Include a special character or punctuation. Begin your password with the month (numeric), then insert a special character or punctuation, then insert the initials, and end with the day or year. For example,

01*twm26

>Combine the initials of your parents or a sibling with a wedding or other anniversary. Use upper-case (capital letters for one set of initials) and lower case for the other. For example, EB925tb (This would be a good way to remember that date too!)

Choosing password generating schemes is really no more difficult and takes no more time than choosing a new password. In fact, once you've nailed down the scheme, choosing new passwords from time to time is a snap. Give it a try!

What if I forget?

What if you develop this scheme and forget the password anyway? At the Camden Campus, you may bring your validated ID or term bill receipt to the Campus Center Computing Lab (Lower Level) between 9am-5pm Monday - Friday through the academic year, or to the Business & Science building lab, Room 109, during any time the lab is open (seven days per week during the academic year and six days per week during the Summer Sessions).  On the rare occasion where someone is not available for immediate changing of your password, a photocopy of your I.D. may be left with the staff on duty, placed into an envelope, and the password will be changed the following day. It will be left in the envelope for pick up the following day.

One Final Caution

Even though there are crackers who will try to break into your account using electronic means, the most common security problem is the user who talks about (or even shares) his or her password, making it very easy for someone to enter the account without authorization. So don't share your password. Don't talk about your really neat password scheme. It's your account and your data. Protect it!





Questions/comments regarding Camden Computing Services or this web site
can be directed to: help@camden.rutgers.edu.
Last updated: October 12, 2005, 15:16 EDT.
© 2005-2008 Rutgers, The State University of New Jersey. All rights reserved.