Registration, Passwords, and De-registration
Password Guidance
What makes a good password?
A good password should contain 8 characters or more, with at least three, preferably all, of the following:
-
An uppercase letter,
-
A lowercase letter,
-
A number,
- A non-alphanumeric character (for example a punctuation mark or a character from another language set).
From August 23rd 2006, when you change your normal University (Active Directory password), you will need to select one that meets all of the following criteria:
-
it is at least 8 characters in length,
-
has not been used in your previous 24 passwords,
-
must not have been changed in last day,
-
does not contain your username or full name,
-
contains at least three of the following four character groups:
-
an uppercase letter (A - Z),
-
a lowercase letter (a - z),
-
a number (0 - 9,)
-
a non-alphanumeric character (e.g.!, $, #, %).
-
Why are passwords so important?
They are the first line of defence against attacks on your computer. If someone has or can guess your password, it gives them access to all your files and, potentially, all the files of other users of the same services. By choosing a good password you can help not just to protect your computer files but those of all other users. Someone who tries to break in to computer systems by cracking passwords is often called a cracker. If a cracker cannot interact with your system, then they have almost no avenues of attack left open to break your system.
If a cracker can, by some means, read your stored passwords, it is vital that they are not able to break any of them. If they can, then they are able to:
-
log on to your system, and can then
-
become "super-user" or a system administrator via an operating system hole.
Other elements of good practice can be summarised as:
-
Don't use your login name in any form (as-is, reversed, capitalised, doubled, etc.).
-
Don't use your first, middle or last name in any form, or your initials or nicknames; or anyone else's.
-
Don't use your spouse's, child's or pet's name.
-
Don't use other information easily obtained about you. This includes license numbers, telephone numbers, social security numbers, the make of your car, the name of the road you live on, the name of your favourite band or sports team etc. Someone who knows you can very easily guess such passwords.
-
Don't use a password of all digits, or of all the same case letter. This significantly decreases the search time for a cracker.
-
Don't use a word contained in any dictionary, in any language, spelling lists, or any other list of words or abbreviations.
-
Don't use a password with fewer than eight characters.
-
Don't use dates such as September, SEPT2005 or any similar combination.
-
Don't use keyboard sequences, e.g. qwerty.
-
Don't use a sample password, no matter how good, that you have obtained from a book or web site that discusses information and computer security.
-
Don't write a password on a post-it note, desk blotter, calendar, or store it online, or anywhere others can access it.
-
Don't reveal a password to anyone, except a trusted member of IT staff.
-
Don't use any of the above otherwise disguised, e.g. with "0" (zero) for "o", "1" (one) for "I" and so on.
-
Do use a password with mixed-case alphabetic characters.
-
Do use a password with non-alphabetic characters, such as digits or punctuation.
-
Do mix up numbers, letters and non-alphanumeric characters.
-
Do use a seemingly random selection of letters, numbers and non-alphanumeric characters.
-
Do use a password that is easy to remember, so you don't have to write it down.
-
Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder ("shoulder surfing").
-
Note: Please remember to take account of the variations between keyboards. For example, on a Macintosh the '#' (hash) character requires three keystrokes.
-
In addition you should not use passwords which are dictionary words and then end with just numbers or punctuation. This increases the speed at which the password can be cracked.
-
Dictionary substitution of characters (e.g. replacing 'a' with '@' or 'B' with '8') will not slow down a password cracking attempt and should be avoided.
-
The use of '&' should also be avoided along with the use of '#' on Apple Macintosh machines (where it requires three keystrokes).
Methods for choosing secure, easy to remember passwords
Choose a line or two from a song or poem, and use the first letter of each word
For example, taking the first two lines from the well known poem, Xanadu, by Samuel Taylor Coleridge:
"In Xanadu did Kubla Khan
A stately pleasure dome decree:"
could give the password: "IXdKkaspDd:" - Capital I Capital X lower d Capital K lower k lower a lower s lower p Capital D lower d Colon.
-
This uses the first letter of each word;
-
It retains the ":" (colon) at the end of the second line;
-
It changes the repeated letters, so that one is upper case and the other lower case;
-
If we then replace the "s" with a "$" (dollar sign), the "a" with an "@" (at sign), and the "I" with a "1" (one), which gives:
"1XdKk@$pDd:" One Capital X lower d Capital K lower k at-sign dollar-sign lower p Capital D lower d Colon.
Some Other Examples, following the same method
| N>kFfmp,D | No more Krazy Frog for me please, Darling |
| LB@tgB1tw | Led Bib are the greatest band in the world |
| 8JSianG,y | But John Sergeant is a nice guy, yes |
| 1dkA@5aA | I don't know anything about soaps at all |
| DW1@Qwp,D | Dr Who is a quite wonderful program, Davros |
| H0Ew1l,wDH | How on EARTH will I live, without Desperate Housewives |
Some additional password advice is provided as part of IT Services' Introduction to Security course at www.lboro.ac.uk/it/security/security-intro.html#password.
To change your password now, go to Password Changing https://pass.lboro.ac.uk/.