Passwords are the most common way for individuals to verify that they are who they say they are whenever they access a computerized system. Unfortunately, that means anyone who knows or can guess your password to a system can see or do whatever you can on that system. In other words, whoever obtains or guesses your password becomes YOU as far as the computer system is concerned. So, he or she can generate e-mail appearing to have come from you, can expose sensitive information to which you have access, can enter transactions in your name, etc.
Aren't there better methods of authenticating users?
There are other systems to verify a computer user's identity besides or in combination with "something you know" (password) systems. These include:
- "Something you have" systems where you demonstrate that you possess an assigned object, e.g., a bank card that you swipe, an electronic certificate, a token device that displays a continually changing value that you are asked to key in
- "Something you are" systems that validate your identity using some physical characteristic, e.g., fingerprint, hand print, retina scan, signature verification
Unfortunately, the widespread use of password alternatives has been hampered by its cost and its implementation difficulty, so passwords will continue to be the primary method of verifying a person's identity in the foreseeable future.
Methods malicious individuals use to guess passwords
Malicious individuals use a variety of techniques to guess or otherwise obtain passwords. These techniques include but are not limited to:
- Trying to log into your account with a blank password
- Trying to log in with the default passwords that come with new hardware and software products, hoping that you had not changed them
- Trying the most common passwords that people use, such as the word "password", numeric and alphabetic sequences, common phrases, music titles, etc.
- Comparing encrypted password file values against "hackers' dictionaries". Hackers' dictionaries are massive files that contain the encrypted and unencrypted value of every word in every language. By capturing your encrypted password and looking it up in the hackers' dictionary, a malicious individual easily can find its unencrypted value if your password is set to any single word.
- Adding common variations of single word passwords (e.g., p@ssw0rd, a single word followed by a number) to the hackers' dictionaries to increase their coverage
- Using "rainbow tables" to speed up their password cracking efforts, enabling them to find passwords of up to ten characters in length (thus far) in seconds
- Searching your physical workspace to find written down passwords that are unsecured
- Using social media to find personal information about you that could be used to answer the security questions that you are asked to provide when you change your password on specific sites
- Tricking you into giving your password to them by using a technique called "phishing" where they send you an official-looking email message (or call you on the phone) that asks you to reply with your ID and password for some made up reason, e.g., your account will be closed unless you confirm that you are a valid user by responding with your personal information.
Making passwords effective
To ensure that the computers, tablets, smartphones, applications and any other technologies that you use, and the information they hold remain safe, they must be protected with passwords that are difficult-to-guess and are not shared with others. This section describes effective methods of formulating difficult-to-guess passwords and the practices that prevent them from being exposed through other means.
- Your passwords should never be left blank (and that goes for smart phones, too!)
- Your passwords should never be set to a product’s default or initial password
- With passwords, longer is stronger. A malicious hacker with a bank of computers can break a six character password much faster than an eight character one. With today's computer power, even a ten character password has become too short.
- Your passwords should not be equal to any single word in any dictionary in any language. Single word passwords can be cracked in minutes.
- Your passwords should not be set to a piece of personal information that is widely known about you (e.g., name of a family member or a pet, important dates, favorite teams)
- Your passwords should not be equal to any obvious sequence of characters (e.g., 12345678, abcdedfg, qwerty, aaaaaaaa, abcd1234)
- Your passwords should include a mix of upper- and lower-case letters, numbers and symbols where permitted
- If you use numbers and symbols in your passwords, the symbols should not merely substitute for obvious similar-looking characters within a single word (e.g., p@ssw0rd)
- Your password can be strong and memorable when they consist of:
- Multiple words (mixed languages makes your password even stronger)
- Characters extracted from a phrase that is meaningful to you, e.g., “I am one happy person at Clear Lake!” could become the password “Im1hp@CL!”. (Note - Please do not use the above password or any other password shared as an example in a public document.)
- Your password to any Internet site into which you enter sensitive, personal data (e.g., social security number, date of birth, account numbers) should not match your password to any other site. If they match and one site is hacked, the others may be hacked as well.
- Change your passwords regularly to limit the time a malicious hacker has to discover it
- Do not share your passwords with others. Systems can be configured to allow multiple individuals to share information without sharing passwords. If there is a compelling business need to let a person use your password temporarily, and there is no alternative, you should change your password immediately after the other person has completed the necessary task.
- Avoid writing passwords down, but if you must, mask it, keep the piece of paper in a safe place and do not include related data (e.g., ID, site name).
- Commercially available password management software can keep your passwords in an encrypted, password-protected file. Some products can save the file in the “cloud” allowing you to share your encrypted password file among multiple computers and mobile devices. Check with the OIT Support Center at extension 2828 or at firstname.lastname@example.org to ensure that any product that you select provides appropriate security controls.
- NEVER reply to an email that asks you to provide your user ID, password, account number or any piece of confidential information. No reputable institution will ever ask you to do so. It is a "phishing" attempt.
Passwords and social media
- Be mindful of the information that you share on social media. Your posts may give a malicious individual the ability to successfully answer your security questions to a sensitive web site, reset your password and use your account.