Password Tips & Security
Why are passwords important?
Believe it or not, there are lots of people out in the world who try to guess or "crack" passwords in order to snoop around. We have an obligation to protect information stored on our computer systems from unauthorized access. The kind of access people have to computers in public institutions like NYU provides many opportunities for password cracking. Creating "good" passwords and keeping them private are important elements of computer security. This means making "good" passwords that are difficult or impossible to guess or be discovered – even by individuals who with mischievous or criminal intent try to guess or "crack" password in order to gain access to computer accounts or systems.
How can I create a good password?
When activating your NetID and setting or changing your password , please take into account the following password guidelines
1. passwords must be 6 or more characters in length
2. must consist of letters (a-z and/or A-Z) AND at least one number (0-9) AND at least one special character: !@#$%^&*()_-+=[]|\; "~',<>./?
3. the alphabetic portion of a password, taken as a whole, may not be a dictionary word proper name, or person's initials
4. you may not reuse a password that you've previously used with NYUHome
Examples of Good Passwords
1. You can use a phrase to generate a password:
o Take the phrase "I Love To Eat Hotdogs Everyday".
o Use the first letters: iltehe
o Apply capitalization and substitute punctuation/ numbers for letters: Il2e!E
2. You can also use a common word as a seed for a password:
o By itself, "hotdog" makes a horrible password, but if you apply some of the tricks above (capitalization, punctuation, and misspellings) the result is a much better password: H0t!daWg.
o You can also use a word but substitute numbers for some of the letters, and insert a special character in a way that you'll remember. For example, by replacing the vowels with the number 7 in the word "Spiderman," then inserting a backslash between the syllables, the password could be "Sp7d7r/m7n" .
Know what makes for a bad password.
Because the attacks described above are becoming increasingly more common, you don't want to use anything in your password that's personal and easy to guess. Keep in mind the following don'ts:
• Don't use only letters or only numbers.
• Don't use names of spouses, children, girlfriends/ boyfriends or pets.
• Don't use phone numbers, Social Security numbers or birthdates.
• Don't use the same word as your log-in, or any variation of it.
• Don't use any word that can be found in the dictionary — even foreign words.
• Don't use passwords with double letters or numbers
Valid Passwords
These are the requirements for a valid password:
1.A password must contain at least six characters. Only the first eight are used, so there isn't any point to having a longer password.
2. It must contain at least two alphabetic characters (lower or upper case) and one numeric or "special" character.
3.It cannot be your login name or any "scrambled" combination of it.
4.A valid password may not contain any of the following "special characters": a pound sign ("#"), an at ("@") symbol, a pipe ("|") or a wildcard ("*" or "?") character.
5.Finally, it must differ from your old password by at least three characters.
Change your password often — as in several times a year .
Your network administrator can force your employees to change their password every so often. By default, passwords are set to expire every 42 days in Windows Server 2003. Microsoft recommends having users change their passwords every 30 to 90 days, but encourages you to go with the smaller number. I think 30 days is a reasonable number here. You always want to side with caution when it comes to sensitive information.
What should I avoid when creating a password?
· Do not use your user name, first name, or last name.
Your name and user name are stored in the password file and many cracking programs use this information to generate possible password combinations.
· Do not use anyone's first name or last name.
Many password-cracking programs have large name databases and can easily guess passwords based on names. Names of friends, relatives, fictional characters, etc. are commonly associated with an individual and do not make good passwords.
· Passwords that use patterns on the keyboard (i.e., qwerty) are not secure.
Although such passwords are easily typed, they are also easily guessed.
· Words spelled backwards don't make secure passwords.
Most cracking programs try both the forward and backward representation of words in their databases, and therefore passwords of such nature are not secure.
· Substituting 1's and 0's for l's and o's is not enough to make a good password.
Password cracking programs have rule sets designed to break passwords that substitute numbers for letters they resemble. Similarly, passwords such as 2Good4U, although cute, are not really secure either.
· Do not simply use a word followed or preceded by a number as a password. A common password-guessing algorithm adds numbers to the front or back of a dictionary word, Passwords of this form are therefore easily cracked. Non-alphabetic characters should be used throughout the password.
· Do not use dictionary, or dictionary-based words as passwords.
Password cracking programs have large dictionaries that they use to guess passwords. Cracking programs also have large FOREIGN LANGUAGE dictionaries, therefore, the practice of using foreign words as passwords is INSECURE.
· Your password should NOT be all numbers, uppercase letters or lowercase letters, nor should it have repeating characters.
· Never use a password that has been cited as an example of how to pick a good password.
Password & Account Security
Can I tell others what my password is?
No. Don't tell anyone your password, not even if they claim to be a system administrator. Sharing passwords is a violation of NYU policy. There are good reasons you should not share your password. If someone to whom you had provided your password were to use your account in an inappropriate manner, you could be held responsible for their actions.
Why can't I share my NetID and password with a trusted colleague?
Letting another person use your NetID, no matter how much you trust that person, violates data security. Each NetID is assigned to a specific individual who must accept full responsibility for any work done on that NetID. Each of your colleagues must use his or her own NetID, or apply for one.Note: If you are involved in the hiring of new staff, you should request a NetID ahead of time so that it will be ready for use when needed.
To ensure that your office has access to your files and data for business continuity purposes, your department can use a shared file server, or have an departmental IT staff member set up an alternate account on your computer.
Is it safe to send my login/password through email?
No. You should never include your password in an email message. There are programs out there that have the ability to spy on traffic sent over the internet. If you send out a message with your password in it, there is a possibility that it could be intercepted and then your account would be compromised.
Besides, you're not supposed to be sharing it with anyone anyway, so the need to send it through email would never arise, right?
Believe it or not, there are lots of people out in the world who try to guess or "crack" passwords in order to snoop around. We have an obligation to protect information stored on our computer systems from unauthorized access. The kind of access people have to computers in public institutions like NYU provides many opportunities for password cracking. Creating "good" passwords and keeping them private are important elements of computer security. This means making "good" passwords that are difficult or impossible to guess or be discovered – even by individuals who with mischievous or criminal intent try to guess or "crack" password in order to gain access to computer accounts or systems.
How can I create a good password?
When activating your NetID and setting or changing your password , please take into account the following password guidelines
1. passwords must be 6 or more characters in length
2. must consist of letters (a-z and/or A-Z) AND at least one number (0-9) AND at least one special character: !@#$%^&*()_-+=[]|\; "~',<>./?
3. the alphabetic portion of a password, taken as a whole, may not be a dictionary word proper name, or person's initials
4. you may not reuse a password that you've previously used with NYUHome
Examples of Good Passwords
1. You can use a phrase to generate a password:
o Take the phrase "I Love To Eat Hotdogs Everyday".
o Use the first letters: iltehe
o Apply capitalization and substitute punctuation/ numbers for letters: Il2e!E
2. You can also use a common word as a seed for a password:
o By itself, "hotdog" makes a horrible password, but if you apply some of the tricks above (capitalization, punctuation, and misspellings) the result is a much better password: H0t!daWg.
o You can also use a word but substitute numbers for some of the letters, and insert a special character in a way that you'll remember. For example, by replacing the vowels with the number 7 in the word "Spiderman," then inserting a backslash between the syllables, the password could be "Sp7d7r/m7n" .
Know what makes for a bad password.
Because the attacks described above are becoming increasingly more common, you don't want to use anything in your password that's personal and easy to guess. Keep in mind the following don'ts:
• Don't use only letters or only numbers.
• Don't use names of spouses, children, girlfriends/ boyfriends or pets.
• Don't use phone numbers, Social Security numbers or birthdates.
• Don't use the same word as your log-in, or any variation of it.
• Don't use any word that can be found in the dictionary — even foreign words.
• Don't use passwords with double letters or numbers
Valid Passwords
These are the requirements for a valid password:
1.A password must contain at least six characters. Only the first eight are used, so there isn't any point to having a longer password.
2. It must contain at least two alphabetic characters (lower or upper case) and one numeric or "special" character.
3.It cannot be your login name or any "scrambled" combination of it.
4.A valid password may not contain any of the following "special characters": a pound sign ("#"), an at ("@") symbol, a pipe ("|") or a wildcard ("*" or "?") character.
5.Finally, it must differ from your old password by at least three characters.
Change your password often — as in several times a year .
Your network administrator can force your employees to change their password every so often. By default, passwords are set to expire every 42 days in Windows Server 2003. Microsoft recommends having users change their passwords every 30 to 90 days, but encourages you to go with the smaller number. I think 30 days is a reasonable number here. You always want to side with caution when it comes to sensitive information.
What should I avoid when creating a password?
· Do not use your user name, first name, or last name.
Your name and user name are stored in the password file and many cracking programs use this information to generate possible password combinations.
· Do not use anyone's first name or last name.
Many password-cracking programs have large name databases and can easily guess passwords based on names. Names of friends, relatives, fictional characters, etc. are commonly associated with an individual and do not make good passwords.
· Passwords that use patterns on the keyboard (i.e., qwerty) are not secure.
Although such passwords are easily typed, they are also easily guessed.
· Words spelled backwards don't make secure passwords.
Most cracking programs try both the forward and backward representation of words in their databases, and therefore passwords of such nature are not secure.
· Substituting 1's and 0's for l's and o's is not enough to make a good password.
Password cracking programs have rule sets designed to break passwords that substitute numbers for letters they resemble. Similarly, passwords such as 2Good4U, although cute, are not really secure either.
· Do not simply use a word followed or preceded by a number as a password. A common password-guessing algorithm adds numbers to the front or back of a dictionary word, Passwords of this form are therefore easily cracked. Non-alphabetic characters should be used throughout the password.
· Do not use dictionary, or dictionary-based words as passwords.
Password cracking programs have large dictionaries that they use to guess passwords. Cracking programs also have large FOREIGN LANGUAGE dictionaries, therefore, the practice of using foreign words as passwords is INSECURE.
· Your password should NOT be all numbers, uppercase letters or lowercase letters, nor should it have repeating characters.
· Never use a password that has been cited as an example of how to pick a good password.
Password & Account Security
Can I tell others what my password is?
No. Don't tell anyone your password, not even if they claim to be a system administrator. Sharing passwords is a violation of NYU policy. There are good reasons you should not share your password. If someone to whom you had provided your password were to use your account in an inappropriate manner, you could be held responsible for their actions.
Why can't I share my NetID and password with a trusted colleague?
Letting another person use your NetID, no matter how much you trust that person, violates data security. Each NetID is assigned to a specific individual who must accept full responsibility for any work done on that NetID. Each of your colleagues must use his or her own NetID, or apply for one.Note: If you are involved in the hiring of new staff, you should request a NetID ahead of time so that it will be ready for use when needed.
To ensure that your office has access to your files and data for business continuity purposes, your department can use a shared file server, or have an departmental IT staff member set up an alternate account on your computer.
Is it safe to send my login/password through email?
No. You should never include your password in an email message. There are programs out there that have the ability to spy on traffic sent over the internet. If you send out a message with your password in it, there is a possibility that it could be intercepted and then your account would be compromised.
Besides, you're not supposed to be sharing it with anyone anyway, so the need to send it through email would never arise, right?