OFFICE OF TECHNOLOGY SERVICES

Frequently Asked Questions

Passwords

Every year, thousands of computers are illegally accessed because of weak passwords. The following is a list of the things a user should not do:

  • Write down a password on a sticky note placed on or near your computer.
  • Use a word found in a dictionary. That's right, a dictionary. Any dictionary!
  • Use a word from a dictionary followed by 2 numbers.
  • Use the names of people, places, pets, or other common items.
  • Share your password with someone else.
  • Use the same password for more than one account, and for an extended period of time.
  • Use the default password provided by the vendor.

Why Is There A Problem?

Passwords are one of the first lines of defense that users have to protect their systems. Unfortunately, people are not accustomed to remembering difficult passwords consisting of numbers and weird characters. The ever-increasing number of passwords required to work in today's world only makes this problem worse. Many people have compensated for this problem by writing down their password and keeping that information in an unsecured area, like stuck to a computer screen.

One of the first things a hacker will attempt to do against a system is run a program that will attempt to guess the correct password of the target machine. These programs can contain entire dictionaries from several different languages. In addition to words found in dictionaries, these programs often contain words from popular culture such as science fiction movies and novels.

Hackers like to attack people's weaknesses. One of the major weaknesses is the reluctance to remember several, long, difficult-to-guess words such as passwords. Therefore, once one is chosen, the likelihood that the same password is used for several accounts is very high. This is similar to the problem with default passwords because users have a tendency to keep the same password for a long period of time, thereby allowing the attacker that much more time to gain access to a system.

How often should I change my Towson password?

To maintain maximum security, the ISO recommends changing your password at least once every 60 to 90 days. Your password should consist of a mixture of numerals and letters and should be at least 8 characters in length. You can make your password stronger by mixing upper and lower-case letters. Choose passwords that will be thoroughly obscure to anyone but you. Avoid the easy-to-guess words like Irish or football, etc. Don’t use your name or birthdate or any part of your Social Security number in your password.

Can I tell others what my password is?

No. Don't tell anyone your password, not even if they claim to be a system administrator. Sharing passwords is a violation of TU policy. There are good reasons you should not share your password. If someone to whom you had provided your password were to use your account in an inappropriate manner, you could be held responsible for their actions.

Why can't I share my UserID and password with a trusted colleague?

Letting another person use your UserID, no matter how much you trust that person, violates data security. Each UserID is assigned to a specific individual who must accept full responsibility for any work done on that UserID. Each of your colleagues must use his or her own UserID, or apply for one (all TU staff must have their own UserID). Note: If you are involved in the hiring of new staff, you should request a UserID ahead of time so that it will be ready for use when needed. It may be possible to expedite the new employee's UserID assignment by having your Department representative contact the OTS Help Desk.

Someone just e-mailed me asking for my password, what should I do?

DO NOT GIVE IT TO THEM. No one representing TU will ever ask you to give your password to them by e-mail or over the phone. If someone DOES do this, do not respond to them! Instead, call the OTS Help Desk at 4-5551, and send an e-mail to infosec@towson.edu, and make sure we know about it. We will deal with the offending party.

Is it safe to send my login/password through e-mail?

No. You should never include your password in an e-mail message. There are programs out there that have the ability to spy on traffic sent over the internet. If you send out a message with your password in it, there is a possibility that it could be intercepted and then your account would be compromised.

Besides, you're not supposed to be sharing it with anyone anyway, so the need to send it through e-mail would never arise, right?

Why are passwords important?

Believe it or not, there are lots of people out in the world who try to guess or "crack" passwords in order to snoop around. We have an obligation to protect information stored on our computer systems from unauthorized access. The kind of access people have to computers in public institutions like TU provides many opportunities for password cracking. Creating "good" passwords and keeping them private are important elements of computer security. This means making "good" passwords that are difficult or impossible to guess or be discovered – even by individuals who with mischievous or criminal intent try to guess or "crack" password in order to gain access to computer accounts or systems.

OTS requires TU community members to change thrie password every 60-90 days, which makes it more difficult for a password-protected account to be compromised. Remember, it is your obligation to protect information stored on TU computer systems and to protect those systems from unauthorized access.

How can I create a good password?

When creating your password, please take into account the following password guidelines (required for TU passwords):

  • passwords must be 8 or more characters in length
  • must consist of letters (a-z and/or A-Z) AND at least one number (0-9) AND at least one special character: !@#$%^&*()_-+=[]|\;"~',<>./?
  • the alphabetic portion of a password, taken as a whole, may not be a dictionary word proper name, or person's initials
  • you may not reuse a password that you've previously used with TU

Examples of good passwords:

  • You can use a phrase to generate a password:
    • Take the phrase "I Love To Eat Hotdogs Everyday".
    • Use the first letters: iltehe
    • Apply capitalization and substitute punctuation/numbers for letters: Il2e!E
  • You can also use a common word as a seed for a password:
    • By itself, "hotdog" makes a horrible password, but if you apply some of the tricks above (capitalization, punctuation, and misspellings) the result is a much better password: H0t!daWg.
    • You can also use a word but substitute numbers for some of the letters, and insert a special character in a way that you'll remember. For example, by replacing the vowels with the number 7 in the word "Spiderman," then inserting a backslash between the syllables, the password could be "Sp7d7r/m7n".

What should I avoid when creating a password?

  • Do not use your user name, first name, or last name.
    Your name and user name are stored in the password file and many cracking programs use this information to generate possible password combinations.
  • Do not use anyone's first name or last name.
    Many password-cracking programs have large name databases and can easily guess passwords based on names. Names of friends, relatives, fictional characters, etc. are commonly associated with an individual and do not make good passwords.
  • Passwords that use patterns on the keyboard (i.e., qwerty) are not secure.
    Although such passwords are easily typed, they are also easily guessed.
  • Words spelled backwards don't make secure passwords.
    Most cracking programs try both the forward and backward representation of words in their databases, and therefore passwords of such nature are not secure.
  • Substituting 1's and 0's for l's and o's is not enough to make a good password.
    Password cracking programs have rule sets designed to break passwords that substitute numbers for letters they resemble. Similarly, passwords such as 2Good4U, although cute, are not really secure either.
  • Do not simply use a word followed or preceded by a number as a password
    A common password-guessing algorithm adds numbers to the front or back of a dictionary word, Passwords of this form are therefore easily cracked. Non-alphabetic characters should be used throughout the password.
  • Do not use dictionary, or dictionary-based words as passwords.
    Password cracking programs have large dictionaries that they use to guess passwords. Cracking programs also have large FOREIGN LANGUAGE dictionaries, therefore, the practice of using foreign words as passwords is INSECURE.
  • Your password should NOT be all numbers, uppercase letters or lowercase letters, nor should it have repeating characters.
  • Never use a password that has been cited as an example of how to pick a good password.

How do I know what is a good password?

Select a long mixed-case password which includes numbers and punctuation. Using the first letters of a phrase makes it easier to remember.

Guidelines for Creating a Secure TU Password

  • Select a unique password — not one you are using or have used elsewhere. Do not use a PIN number or a password used for other computing accounts like AOL or HotMail.
  • Use at least nine characters containing a mix of upper- (capital) and lower-case letters, numbers, and common punctuation. However, do not use a forward slash (/) or a space bar.
  • Random capitalization, numbers, and common punctuation always improve a password. The more varied the character set, the shorter the password can be, but please use at least nine characters.The best passwords are made up (of course, don't use any examples shown here).
    • Use the first letter of words in a phrase and include numbers and punctuation; for example, “Do you know the way to San Jose on US-12?” becomes “DyktwtSJoUS-12?”
    • Create a nonsense phrase like “!bunca*dinckDOc?”

Very Bad Ideas for Any Password:

  • Do not use any normal sequence of numbers or letters, including keyboard sequences
  • Do not use words found in any dictionary, regardless of language
  • Do not use simple transformations of words; for example, by:
    • adding a character before or after (!horrible or horrible!)
    • randomly capitalizing letters (HOrriBle)
    • doubling (horriblehorrible)
    • spelling backwards (elbirroh)
    • removing vowels (hrrbl)
  • Do not use anything based on personal information that someone could reasonably learn


Information Security Office
Office of Technology Services
Cook Library, 4
Hours: Monday - Friday, 8:30 a.m. to 4:00 p.m.
E-mail: infosec@towson.edu



- Passwords using dictionary words are easier to crack than non-dictionary ones.

 		 -


   © 2009 • Towson University Last Updated: Thursday, July 05, 2007   
   Towson University • 8000 York Road • Towson, Maryland • 21252-0001 • 410-704-2000 Copyright Information | Privacy Statement | Contact Us