December 9, 1994
Appendix C - Password Management
Information handled by computer systems must be adequately protected against unauthorized modification, disclosure, or destruction. Effective controls for logical access to information resources minimizes inadvertent employee error and negligence, and reduces opportunities for computer crime. Each user of a mission critical automated system is assigned a unique personal identifier for user identification. User identification is authenticated before the system may grant access to automated information.
Password Selection
Passwords are used to authenticate a user's identity and to establish accountability. A password that is easily guessed is a bad password which compromises security and accountability of actions taken by the logonid which represents the user's identity.
Today, computer crackers are extremely sophisticated. Instead of typing each password by hand, crackers use personal computers to make phone calls to try the passwords, automatically re-dialing when they become disconnected. Instead of trying every combination of letters, starting with AAAAAA (or whatever), crackers use hit lists of common passwords such as WIZARD or DEMO. Even a modest home computer with a good password guessing program can try thousands of passwords in less than a day's time. Some hit lists used by crackers contain several hundred thousand words. Therefore, any password that anybody might guess to be a password is a bad choice.
What are popular passwords? Your name, your spouse's name, or your parents' names. Other bad passwords are these names spelled backwards or followed by a single digit. Short passwords are also bad, because there are fewer of them; they are more easily guessed. Especially bad are "magic words" from computer games, such a XYZZY. Other bad choices include phone numbers, characters from favorite movies or books, local landmark names, favorite drinks, or famous people.
Some rules for choosing a good password are:
- Use both uppercase and lowercase letters if the computer system considers an uppercase letter to be different from a lowercase letter when the password is entered.
- Include digits and punctuation characters as well as letters.
- Choose something easily remembered so it doesn't have to be written down.
- Use at least 8 characters. Password security is improved slightly by having long passwords.
- It should be easy to type quickly so someone cannot follow what was typed by watching the keyboard.
- Use two short words and combine them with a special character or a number, like ROBOT4ME or EYE-CON.
- Put together an acronym that has special meaning to you, like NOTFSW (None Of This Fancy Stuff Works) or AVPEGCAN (All VAX Programmers Eat Green Cheese At Night).
Password Handling
A standard admonishment is "never write down a password." You should not write your password on your desk calendar, on a Post-It label attached to your computer terminal, or on the pull-out drawer of your desk.
A password you memorize is more secure than the same password written down, simply because there is less opportunity for other people to learn a memorized password. But a password that must be written down in order to be remembered is quite likely a password that is not going to be guessed easily. If you write a password in your wallet, the chances of somebody who steals your wallet using the password to break into your computer account are remote.
If you must write down a password, follow a few precautions:
- Do not identify the password as being a password.
- Do not include the name of the account or the phone number of the computer on the same piece of paper.
- Do not attach the password to a terminal, keyboard, or any part of a computer.
- Mix in some "noise" characters or scramble the written version of the password in a way that you remember, but make the written version different from the real password.
- Never record a password on-line and never send a password to another person via electronic mail.
This information on passwords was adapted from the book Practical UNIX Security by Simson Garfinkel and Gene Spafford.