Keeping Your Password Safe:
A User's Introduction to Computer Security
The rise of computer networking at University of Dayton provides the campus
community with better access to computing resources.
Unfortunately, it also provides access to would-be computer vandals,
both on and off campus.
If you are an account holder on a multi-user machine, then it is your
responsibility to keep your account and your work stored in that
account safe against unauthorized users.
This is normally done by means of a password - a short series of
characters meant to identify authorized users.
This paper provides guidelines for selecting and maintaining a good
One way that a vandal can learn your password is by seeing it -
either because they watched you type it in, or
because you wrote it down.
You should avoid writing passwords as much as possible, and
certainly don't put a written password in plain view.
The best way to avoid trouble is to pick a password that you will
This is the main reason why modern systems usually let you pick your
own password - so that you won't need to write it down.
To understand how to chose a password, it helps to understand how
vandals usually break in.
The main way that passwords are broken is by simple guessing.
This means that at the least, you should pick a password that can not
easily be guessed.
For example, don't use the account name as the password.
Don't use your own name, or nickname, as the password.
Even people who don't know you personally may be able to guess that.
Don't use such words written backwards - that's the next thing they
Vandals can also use a computer to automate the guessing process.
If your computer is on the network, they might program
another computer to repeatedly attempt to log in to your account.
This is actually not very effective, both because it is easy for
systems administrators to spot this activity and because the process
is too slow to try many passwords.
The most sophisticated way normally used to guess passwords
is an automated password matcher.
Some computer systems, most notably UNIX, store passwords
in encrypted form.
When you log in and type your password, it gets encrypted in the same
way, and the encrypted form of your password is compared against the
encrypted copy on file.
If the encrypted forms match, you are allowed in.
A potential vandal can easily get a copy of the password file.
It is easy to find or write a program that simply generates many
passwords, encrypts them, and checks for a match.
But, it turns out that there are too many possible passwords to try
more than a small fraction of them.
So, the vandal can only try a relatively few best guesses
(where ``few'' can mean many thousands).
These best guesses are often the contents of an on-line dictionary of
common English or other language words, or literary terms.
Such programs can guess about 30% of typical user's passwords.
How can you protect yourself against such attack?
The best way is to pick a password that is not a common English (or
other language) word, a common name, or something else likely to be in
an on-line word list.
You should also make sure that your password is
six or more characters long, and that it contains at least some upper
case letters, punctuation symbols and/or digits along with some lower
This simple precaution will eliminate virtually any possibility of
your password being ``guessed''.
Using the first letter from each word in a phrase can also give you a
safe, easily remembered password.
Two final cautions: NEVER use your normal password on a
Very often these passwords are stored in clear text on that machine,
and are very easy to locate.
NEVER store your password in a computer file, and NEVER send it
Such files and e-mail messages can easily be read by others.
Every multi-user operating system has some provision for keeping other
users from reading or changing your files.
However, you cannot assume that your account has been properly set up
to automatically protect any new files that you create.
You should learn how file permissions work on your computer, and
verify that your account is safe.
The alternative is to risk losing files or letting the world read
your private information.
COMPUTER SECURITY CHECKLIST
DO recognize that you are responsible for your computer account, its
protection and its use.
DO change your password immediately upon receiving your account.
DO make your password at least six characters long.
DO mix lower case letters with upper case letters, punctuation and
The upper case letters/numbers should not appear solely at one end of
DO NOT use your name, account name, nickname, or other easily guessed
personal information for your password.
DO NOT use: common words (in English or any other language),
place names, person's names, scientific terms or literary terms.
DO NOT use such a word spelled backwards.
DO NOT let anybody else use your account.
DO NOT give your password to anybody else.
DO NOT write your password where people can see it.
DO NOT store your password in any file on your computer.
This especially includes automated login scripts or other
DO NOT use your regular password on any bulletin-board system.
DO NOT leave your machine or terminal while still logged on.
World writable directories and files allow other users to
use your directory for whatever they wish.
World readable files allow users to read your sensitive information.
While most accounts should already be set up so that others won't have
access to your files, you should learn about file permissions on your
computer and verify that your account is protected.
If your machine is to
the campus network, DO assume that anybody in the world can try to
log into your machine.