- Academic Affairs
- Accountability and Compliance
- Administration and Finance
- Center for Health and Homeland Security
- Center for Information Technology Services
- Communications and Public Affairs
- Community Engagement
- Government Affairs
- Human Resource Services
- Office of Philanthropy
- Operations and Planning
- Police and Public Safety
- President's Office
- Research and Development
- University Counsel
Picking and Protecting Passwords
September 8, 2015 | By Chris Phillips
Biometrics (e.g., fingerprint recognition, retinal scans, etc.) are rapidly making inroads, but at this point passwords remain the most common method of identity verification in the virtual world. Managing passwords safely enables one to use most computer resources safely.
Threats and Counter-Measures
Passwords are compromised ("cracked" or "hacked") in a variety of ways. One is to try all the words in the dictionary. That's called, predictably enough, a "dictionary attack." A dictionary attack would take a human a long time, but it can be an easy task for another computer. A computer can also be used to march through all the possible sequences of letters and numbers -- a "brute force" attack.
In order to defeat such assaults, many devices and systems will lock an account after several consecutive unsuccessful password attempts. At UMB, administrative systems give you a maximum of six chances (sometimes fewer). The account may then only be unlocked after a certain waiting period, or require a system administrator's intervention to reset the lock. If this happens to you, be patient. However inconvenient, it's a necessary security measure.
Low-tech vs. High-tech
Attacks often don’t need to be high-tech. If passwords are obvious enough, they can simply be guessed by someone who knows things about you--things like the name of your spouse or pet, where you were born, your birth date, and so on. You may inadvertently assist in such an attack by what you post on social networking sites or other public venues. It can get simpler still: There's the "shoulder surfing" attack -- someone watching you while you type your password, and the "Post-It"™ attack -- where someone finds a password you've written down and left in plain sight near the computer.
Password "Sniffing" and "Phishing"
Some of today's most sophisticated computer malware -- viruses, worms and the like -- are designed to install themselves and then invisibly sniff out passwords that you type. Some malware will even insert fake forms into otherwise legitimate web pages to solicit additional information from you, including passwords. Such malware behaviors can be impossible for a person to detect, which is why all computing devices need to have up-to-date anti-malware/anti-virus software installed. "Phishing" attacks attempt to trick you into revealing your password with what seems like a legitimate request. (Search the Elm using the term “phishing” for several articles on this subject.)
Basic Rules for Password Maintenance
A strong password is one that it is hard to crack, whether by machine or human guessing. Real (dictionary) words, in any language, are bad. "Personal" words-- passwords that relate to anything about you, from your pet’s name to your address--are bad. The following requirements are part of UMB’s Password Management Policy:
- Passwords must contain a minimum of eight characters. (More = better!)
- Passwords must contain a mix of alphanumeric characters. Passwords must not consist of all numbers, all special characters, or all alphabetic characters.
- Passwords must not contain leading or trailing blanks.
- Your password must not be the same as your user ID.
- Password reuse is restricted by not allowing the last 10 passwords to be reused with a minimum password age of at least two days.
- Automated controls ensure that passwords are changed at least as frequently as every 90 days for high-privilege users and every 365 days for general users.
Change is Good; So is Variety
Some systems will force you to pick a new password on a regular basis; but even if you're not forced, it's a good idea. If you have any reason to believe a password has been compromised, change it immediately. And don't use the same password for all the systems you access; you don't want one cracked password to compromise everything.
Phrases Can Help Your Memory
Unfortunately, strong passwords tend to be hard to remember. If you have a lot of passwords to remember, and you are changing them with some regularity, it can get overwhelming very quickly. Basing passwords on familiar phrases or favorite activities can help. For example:
- Biscayne Bay sailing on the weekends = BB_sotwe
- To be or not to be = 2BorNot2B
- I Love to read the Elm at UMB = IL2rtE@UMB
Tools for Storing Passwords
The best security comes from never writing down your passwords. But for many of us the choice is between writing down good passwords or using bad passwords that we can actually remember. Sometimes you are given the option of having your passwords automatically "remembered" by the accessed computing device or program. This is usually a very bad idea; anyone who gains access to your computer will have access to all the protected places.
On the other hand, there are automated tools known as “password managers” that can assist your memory, presumably without compromising security. These come in the form of either software programs or small mobile hardware devices. Many experts like and use these; some warn against using them. Be sure to research the subject carefully before you choose.
At UMB, Passwords Are Not Optional
Every computing device able to access sensitive data or computing resources must have an access password. This is a good idea for your personal computing devices (such as your smart phone) as well.
Physical Security vs. Passwords
Passwords are a critical additional protection against intruders who get past the physical security measures that are your first line of defense.
Passwords, like bubble gum, should NOT be shared between users! ‘Nuff said.
Logging in and Leaving
Leaving a computer unattended while you are logged in is the same as giving away your password. You should log off or lock your system, even if you plan to be away only briefly. Do not rely on the timed, automatic system shut-off. It takes only a few minutes for someone to access and compromise an unprotected computing device.
Managing passwords is one of those things that you can't escape in today’s world. Do it safely, and the odds are good that you'll keep the information under your control secure. Do it unsafely and it's only a matter of time until something bad happens.