General rules on passwords and do’s and don’ts for choosing passwords
Reviewed by John Sopko 6/17/2014
This page provides some general rules on passwords, some suggestions for choosing passwords, information on department and campus password standards, and notes on your responsibilities with regard to passwords on laptops, home systems, Macs, and personally administered systems.
General rules on passwords
Your account password is the key to accessing and modifying all of your files. If another user discovers your password, he or she can delete all your files, modify important data, read your private correspondence, and send mail out in your name. You can lose much time and effort recovering from such an attack. If you practice the following suggestions, you can minimize the risk.
- NEVER give another user your password. Doing so is a violation of campus and department security policies. You can change permissions and have groups set up if you need to share access with others.
- Never write down your password. If you feel you must write it down to remember it, then keep the password in a safe place, like in your wallet. Another person can read it from your blotter, calendar, etc. as easily as you can.
- Never use passwords that can be guessed, either from personal information about you (birth date, etc.) or from an on-line dictionary. As computers become more powerful, it is possible to run programs that try to crack your password. The intruder compiles a set of words (such as those in the UNIX dictionary) and tries each one on each account on the machine. A person with local knowledge can also try your spouse’s name, pets’ names, etc. Your account is vulnerable to this type of cracking unless you choose your password carefully.
- Change your password regularly. For this you use https://www/cs.unc.edu/webpass/. You can do this from anywhere, and it will change your password on all UNC Computer Science systems.
- Vary the system by which you choose a password. For example, don’t repeatedly use combination’s like BLUEgreen and REDyellow. If an intruder discovers your pattern, he or she can guess future passwords. See below for an example of a good choosing algorithm.
- Don’t use the same password on machines outside this department. This way if your password is compromised it can not be used for other purposes.
Choosing a password – do’s and don’ts
Beyond the restrictions imposed by the department’s webpass program, there are some do’s and don’ts for choosing passwords that will help you to have a safer password, i.e., one that is less likely to be guessed by a hacker.
One school of thought says that just using a passphrase, i.e., a long password of, say, 20 characters, is sufficient for security, even if it consists of dictionary words separated by spaces, with a couple of required special characters thrown in. Don’t use an intact common phrase for this. In general the longer passwords are better then short ones.
If you want to use a shorter password, then follow the guidelines below to make a good, safe, password.
- Do not use abbreviations of common phrases or acronyms, e.g. asits9 (a stitch in time saves nine), wysiwyg (what you see is what you get), or tanstaafl (there ain’t no such thing as a free lunch).
- Do not use common literary names such as Baggins, Popeye, etc.
- Do not use any password containing your login ID spelled backwards.
- Do not use any password containing one of your names or initials, or any combination thereof.
- Do not use any password involving personal data, such as your address, maiden name, relatives’ names (e.g. spouse and children first names), pets’ names, hobbies, favorite sports teams, etc. Be sure your password cannot be guessed from your .plan file, or from the Department communication list.
- Do not use any password consisting of sequences such as “abcdef”.
- Do not use any password consisting of consecutive keys such as “qwerty”.
- Do not use any password consisting of repeated sequences.
- Do not use any password given to you when your account was set up.
- Listed below are some suggestions for choosing a good password. The best passwords combine several of these suggestions.
- Use upper and lower case characters, digits and infrequently used characters such as _ and ^.
- Create an acronym from an uncommon phrase (e.g. “After that time, I never slept late.” could become “Att,Insl”).
- Drop letters from a familiar phrase (e.g. “drop-add period” could become “drp-adpD”).
- Punctuate a short phrase (e.g. “I’m fine” becomes “[I]mfinE”).
- Mix upper and lower case, as well as numbers, e.g. “nanosecond” “naN02nd” [That’s a zero] “Piano Tuner” “piaN02nr” [That’s a zero]
- Use homonyms or deliberate misspellings, e.g., instead of “Choo-choo Train” use “22.twaan”; or instead of “finalize” use “vnylEyes”.
- Mix up two or more separate words.
The important thing to remember when you do this is to make sure that none of the pieces go together to form a word or number that can be looked up in a dictionary. By using words and digits that are familiar to you, but breaking them up into non-meaningful pieces you can produce a more memorable password.
For information on specific restrictions on computer science passwords, see the Computer Science webpass help page.
Department standards for strong passwords are given at http://www.cs.unc.edu/cms/help/help-articles/webpass. Campus standards are the same, except the department requires at least a 12-character password that you change every 12 months. (Just think “twelve and twelve”.) Campus passwords must be at least eight characters, and must be changed every 90 days. Research shows the department’s standard is more secure.
Passwords on laptops, home systems, Macs, and personally administered systems
One of the biggest uses of local accounts is for laptops and home systems, because logins to the Department’s Active Directory domain tend to be slow and subject to timeouts when off-campus. Using local accounts for yourself or members of your household on these systems is fine. Just keep in mind that you are responsible for complying with department or campus requirements for password complexity and expiration (above).
Practically all department Macs are currently not controlled by the department’s password system. In addition, there are a number of computers in the department whose operating system was installed by someone not on the Computer Services staff. As with the laptops and home systems, the users are responsible for complying with department or campus requirements for password complexity and expiration.
More generally, anyone connecting to the University network is responsible for complying with campus password rules for all the accounts on their computers. This includes, for example, faculty, staff, and students with Windows machines that are not on the department’s Active Directory domain. It also includes any faculty, staff, or students using a personally administered system to access the University network, whether the computer belongs to the department or not. If you are on a department-administered system using a department account, you don’t need to worry about the password rules, because Computer Services enforces them (though you should still put some thought into choosing a good one). If you administer the machine, or you have set up a local account for any purpose, you are responsible for making sure your passwords are good and that you change them at the required intervals.