Keeping Your Password Safe:
A User's Introduction to Computer Security

The rise of computer networking at University of Dayton provides the campus community with better access to computing resources. Unfortunately, it also provides access to would-be computer vandals, both on and off campus. If you are an account holder on a multi-user machine, then it is your responsibility to keep your account and your work stored in that account safe against unauthorized users. This is normally done by means of a password - a short series of characters meant to identify authorized users. This paper provides guidelines for selecting and maintaining a good password.

One way that a vandal can learn your password is by seeing it - either because they watched you type it in, or because you wrote it down. You should avoid writing passwords as much as possible, and certainly don't put a written password in plain view. The best way to avoid trouble is to pick a password that you will remember. This is the main reason why modern systems usually let you pick your own password - so that you won't need to write it down.

To understand how to chose a password, it helps to understand how vandals usually break in. The main way that passwords are broken is by simple guessing. This means that at the least, you should pick a password that can not easily be guessed. For example, don't use the account name as the password. Don't use your own name, or nickname, as the password. Even people who don't know you personally may be able to guess that. Don't use such words written backwards - that's the next thing they will guess.

Vandals can also use a computer to automate the guessing process. If your computer is on the network, they might program another computer to repeatedly attempt to log in to your account. This is actually not very effective, both because it is easy for systems administrators to spot this activity and because the process is too slow to try many passwords. The most sophisticated way normally used to guess passwords is an automated password matcher. Some computer systems, most notably UNIX, store passwords in encrypted form. When you log in and type your password, it gets encrypted in the same way, and the encrypted form of your password is compared against the encrypted copy on file. If the encrypted forms match, you are allowed in. A potential vandal can easily get a copy of the password file. It is easy to find or write a program that simply generates many passwords, encrypts them, and checks for a match. But, it turns out that there are too many possible passwords to try more than a small fraction of them. So, the vandal can only try a relatively few best guesses (where ``few'' can mean many thousands). These best guesses are often the contents of an on-line dictionary of common English or other language words, or literary terms. Such programs can guess about 30% of typical user's passwords.

How can you protect yourself against such attack? The best way is to pick a password that is not a common English (or other language) word, a common name, or something else likely to be in an on-line word list. You should also make sure that your password is six or more characters long, and that it contains at least some upper case letters, punctuation symbols and/or digits along with some lower case letters. This simple precaution will eliminate virtually any possibility of your password being ``guessed''. Using the first letter from each word in a phrase can also give you a safe, easily remembered password.

Two final cautions: NEVER use your normal password on a bulletin-board system! Very often these passwords are stored in clear text on that machine, and are very easy to locate. NEVER store your password in a computer file, and NEVER send it by e-mail. Such files and e-mail messages can easily be read by others.

Files:

Every multi-user operating system has some provision for keeping other users from reading or changing your files. However, you cannot assume that your account has been properly set up to automatically protect any new files that you create. You should learn how file permissions work on your computer, and verify that your account is safe. The alternative is to risk losing files or letting the world read your private information.

COMPUTER SECURITY CHECKLIST

PASSWORDS:

  • DO recognize that you are responsible for your computer account, its protection and its use.

  • DO change your password immediately upon receiving your account.

  • DO make your password at least six characters long.

  • DO mix lower case letters with upper case letters, punctuation and numbers. The upper case letters/numbers should not appear solely at one end of the password.

  • DO NOT use your name, account name, nickname, or other easily guessed personal information for your password.

  • DO NOT use: common words (in English or any other language), place names, person's names, scientific terms or literary terms. DO NOT use such a word spelled backwards.

  • DO NOT let anybody else use your account. DO NOT give your password to anybody else.

  • DO NOT write your password where people can see it.

  • DO NOT store your password in any file on your computer. This especially includes automated login scripts or other programs.

  • DO NOT use your regular password on any bulletin-board system.

  • DO NOT leave your machine or terminal while still logged on.

FILE USAGE:

World writable directories and files allow other users to use your directory for whatever they wish. World readable files allow users to read your sensitive information. While most accounts should already be set up so that others won't have access to your files, you should learn about file permissions on your computer and verify that your account is protected.

NETWORKS:

If your machine is to the campus network, DO assume that anybody in the world can try to log into your machine.



Return Home