Guidelines to Password Selection and Maintenance

GUIDELINES TO PASSWORD SELECTION & MAINTENANCE

Password Selection

An ideal password would consist of a random sequence of characters. But such a password is generally inconvenient because it is difficult to learn and remember. The idea is to select an easy to remember password that is difficult for someone else to guess, e.g. for all practical purposes it comes close to serving as a sequence of random characters.

Poor password choices that are very easy for serious intruders to guess include words from a dictionary (in any language), name of self, name of spouse or children, social security number, street name, or other information about one's self that is readily discovered.

A reasonably secure choice is to select a sentence from some book. Memorize the sentence and use the first letters of the words of the sentence to form a password. After using the password a few times, it will become easy to remember -- and if you should happen to forget it, you can always mentally repeat the more easily remembered sentence. To make this choice of password even more difficult to discover through an exhaustive search process, one should use a mix of upper and lower case letters, insert at least one special character, and make sure it is at least eight characters in length,

Local Constraints on Password Selection

To help improve system security, the password you choose must meet a minimum set of rules in order to be accepted. Your password will be rejected if any of the following conditions are met:

contains 3 or more repeating characters
contains the name of a Department of Computer Science host machine
contains a part of the user's finger information
contains any control character
contains the character 'or ''
is less than 6 characters long
is found in a dictionary of commonly used words

When changing your password, you will be notified of any failure in meeting these conditions and will be prompted for a new password again. You are expected to change your password frequently.

Password Maintenance

Once selected, your password should not be recorded anywhere -- on paper or in a computer file.

Passwords should be periodically changed to counter any undetected compromises.

If you believe that your password has been compromised and that your account is being used by some other individual, please present the evidence to the Computer Science Systems Support Group. They will place an audit on your account and any intruder will be discovered and prosecuted.

Although the above conditions may seem strict, they are intended for your protection by making both your account and the department computer systems more secure. If you have any questions or comments please send them to ssg@cs.iastate.edu