|
Networking Services
Password Security
Everything you ever wanted to know about password security is in this document. For protection
strategies to password characteristics, it's everything you need to know to maintain a safe computing
environment.
Overview
Why Should I Care?
Characteristics of a Strong Password
How to Remember Complex Passwords
Password Caveats
Protecting Yourself Against Password Loss
Writing Down Passwords, What do you do after we say "don't"?
Forgotten Passwords, What can I do now?
Overview
Passwords are a critical aspect of computer security. They are the first line of defense that provides
protection for your user account. A poorly chosen password equates to a weak frontline, and may result
in the theft of your user account. A stolen user account could then be utilized to expose/steal other
network resources within the University. Therefore, all USI faculty, students, and employees (including
contractors and vendors with access to USI systems) are responsible for ensuring their accounts are
protected by secure passwords.
Return to Top
Why Should I Care About Password Security?
Your login name, or userID, allows you to access the resources and services associated with the
University of Southern Indiana's network. Every time you connect, you are challenged for your password
to validate your connection. If someone else determines your password, they can effectively assume your
electronic identity. This means that individual then has full access to your files, your e-mail, personal
information, and more. This intruder could modify or destroy your files, send threats via e-mail in your
name, or subscribe to unwanted services for which you'd have to pay. In short, an insecure password can
easily wreak havoc in your life.
Return to Top
Characteristics of a Strong Password
- Strong passwords are suggested for all accounts and should be at least 8 characters long, a
mixture of upper and lower case letters, punctuation and numeric characters.
- Passwords should expire and require changing every 60 days.
- Passwords should remain confidential and original.
Return to Top
How to Remember Complex Passwords
It is possible to construct a password that is acceptable and memorable. The following are provided
as examples only and should not be used; create your own password unique and memorable to yourself.
- Creating a "pass phrase" is one way that helps to memorize a complex password. An example
of a valid and secure pass phrase might be "Tqbf^0t1D" which is based on the old typing
practice sentence "The Quick Brown Fox Jumped Over the Lazy Dog!" Substituting numeric or
special characters adds to the complexity of the password making it much more difficult to crack.
- Use lines from a childhood verse:
Verse Line: Yankee Doodle went to town
Password: Ydw2~twn
- Foods disliked during childhood:
Food: rice and raisin pudding
Password: r1c&ras1nP
- My license plate is "880-PTW". That's not acceptable; hackers know that people will use
their license plate as a password so it's very easy to scan for passwords which are license plates.
So, let's mix it up a bit - "88oh-PtW" is acceptable and is such a minor variation that I
ought to be able to remember it.
- Passwords should never be a word found in a dictionary (even foreign). Instead, use two or more
words joined together. Or, use a combination of words and numbers. For example, instead of "dog
and cat", use d0g+C4t! In this example, we have used upper and lowercase, numeric, and special
characters thus creating a very secure and easy to remember password.
Return to Top
Password Caveats (Should Not)
- Passwords should not be shared or written down. Treat your password like Kleenex, once shared with a
friend don't use it again.
- Passwords should not be a word found in a dictionary (even foreign).
- Passwords should not contain any form of your name or userID. Don't use obvious passwords like
"password", "guest", "user", or "admin".
- Don't use personal information, such as names of family members or pets, your date of birth,
social security number, or other similar information as part of a password. Since such information may
be public, you should not use it in a password, even in combination with other characters.
- Don't use common words or acronyms; spelled forwards or backwards.
Return to Top
Protecting Yourself Against Password Loss
- DO NOT record your password on a post-it note stuck to your monitor or slid under your keyboard.
- If you have a secure location, such as a safe or a locked desk drawer, you may want to store a
written copy of your passwords there. DO NOT record your userID in the same location.
- Log off your computer at the end of the day.
- Avoid using password-saving features, such as Microsoft's Auto Complete feature.
- Use a password-protected screen saver if you leave your computer, even for a few minutes.
- If you think your password has been compromised, change it immediately.
- Remind everyone in your work area or office to change his or her passwords if someone in the group
is suddenly put on disciplinary leave, or is fired.
Return to Top
Writing down your password
There is a rule of thumb in the security community that one should never write down a password.
Writing down a password increases the risk of it falling into the wrong hands. However, the practice
this document suggests is such that it is often difficult to remember a password. The requirement for
remembering more than one password further complicates the situation. If this is the case, then you could
record them, but make sure that they are stored in a secure place - white boards, sticky notes on your monitor,
and under your keyboard are not considered secure. Passwords should never be recorded with your userID as you
would never record your pin number on your bankcard.
Return to Top
Forgotten Passwords
If you forget your password for a University resource, call the Computer Center Help Desk at x 1080.
Define the resource(s) that you are having difficulty accessing.
You will be transferred to the appropriate technical support staff for
Novell NetWare, Active Directory domain, MyUSI or Banner.
Once transferred, give your username and login problem details. If
they cannot walk you through the process,
you will need to have your password changed.
- NetWare and Active Directory Domain:
- All users: You cannot get a new password over the telephone. We have no way of ensuring that you
are the user you claim to be. But, (and there's always a "but"), if a full-time Computer Center
network, computer maintenance or support person is with you, they can verify your identity. The technician
can then change your password and give it to you over the telephone.
If you have voicemail that says your name, not a department or generic name,
the technician can call your voicemail and leave the new password there. Departmental voicemail may be accessible
by multiple people, but your personal voicemail should have a password known only to you. Thus you need your
password to access your new password.
If neither applies, you will have to bring a picture ID to the Computer Center, OC046, next to the Cashiers'
window, to request a new password.
- MyUSI:
- Faculty/staff:You cannot get a new password over the telephone. We have no way of ensuring that you
are the user you claim to be. Bring a picture ID to the Computer Center, OC046, to request a password reset. Call
the Help Desk at x1080 to verify that appropriate staff is on-hand to assist you.
Students: You must call or visit the Registrar's Office. The Registrar is located on the main floor on
the Orr Building. Simply drop by and display your Student ID to get your PIN. Distance Ed students may call
the Registrar at (812) 464-1762.
Alumni:You must contact Nancy Johnson at (812) 464-1924.
Return to Top
If you should have any questions regarding these services, please contact our Help Desk at
(812) 465-1080 or contact us via email.
|
