ECN Accounts: Hints On Choosing a New Password

ECN has updated the password changing program to enforce stricter logon passwords. The passwd command on all Solaris workstations and servers includes a password tester. If the password tester thinks that the password would be too easy to guess, then it will describe what is wrong with the newly entered password and abort the password from changing.

There are very good reasons to have a good password in place. Computers at ECN are directly connected to the Internet. There is a constant stream of hackers trying gain access to your files and the only thing stopping them are good passwords that are hard to guess.

Below are descriptions of bad passwords and good passwords. Following that is a section describing some tools that you can use to select a new password and a password testing utility that judges a potentially new password on the same criteria as the passwd command.

What Are Bad Passwords?

There are lots of passwords that should be avoided. Here are a few examples:

• Avoid passwords based on a word in English dictionary, or in the dictionary of any other language. A very good example is not to set a password of "password".
• Avoid passwords based on the reverse of a word in the dictionary. Don't set a password of "drowssap" (which is "password" spelled backwards).
• Avoid passwords that are too short. Always set a password that is between eight and fifteen characters long.
• Avoid using passwords that have too many of the same characters. Don't set a password of "mmmmmmmm" or "12345678".
• Avoid using names. Don't set a password based on your first name, middle name, last name, login name, pet's name, computer's name, etc.
• Avoid anything that is familiar to you that someone else might know. Don't set a password based on your street address, student ID number, favorite rock band, office location, or most colorful Pokemon character.
• Avoid substituting numbers for characters. Don't change "E" to "3", "O" to "0", "I" to "1", etc. Most hackers know to try these combination of changes when trying out passwords.

Suggestions For Good Passwords

Very simply, try making up a password, that is at least eight characters long, that includes all three types of characters: Letters, Numbers and Symbols. By including all three types of characters, the number of combinations of passwords grows quiet large, leaving it difficult to guessing the password by a brute force search. Purdue systems accept passwords between 8 and 15 characters (inclusive).

One method is to string a series of numbers and words together, and pad it to 15 characters: Jack+Jill-^Hill; or J.Crew-Shirts!!!

Another method is to use a sentence that you can easily remember and then use the first character of each word to form your password. Examples are:

I graduate from Purdue in two years!               =  IgfPi2y!
My friend lives at 123 Main Street, Lafayette      =  Mfl@1MSL

Generating a random password

In order to try to select a good, unguessable password, there is a utility to assist in creating one at random. The utility is called genrpass, and is available on Engineering Computer Network Linux and Solaris computers.

genrpass is based on an ANSI standard X9.17. It generates a password based on one way DES encryption. It starts out with a random seed number, combines that with a set of two other seeds, and produces the password from the result. The result then becomes the seed for the next password generation.

See the manual page for genrpass for more information.

Testing passwords

Selecting a password that will be acceptable to passwd may be difficult. Instead of entering in the password several times, it is easier to test the password ahead of time with a password testing program called passtest.

passtest accepts passwords, one line at a time, and outputs the results. If the result says ok, then the password would be a candidate for entering into the passwd command. If the password is unacceptable, the problem description will be shown.

See the manual page for passtest for more information.