Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password aging

From: Jim Moore <jhmfa () RIT EDU>
Date: Tue, 13 Jan 2004 11:09:19 -0500
We had the unfortunate experience of having a password exposure for a small number of passwords, however, we could not 
tell which ones.

So we had to send an announcement, asking users to change their passwords.  And to make matters worse, it was just 
before Christmas break.

So what we added on was adapted from "Hard to Guess, doesn't necessarily mean Hard to Remember."

Be Sure to Select a Password that is
·      More than eight characters in length (longer is better).
·      Varied characters (alphabetical or numeric characters ­ without
punctuation or duplication).  **Here is where we are bit by legacy systems - we will add in puncutation characters as 
soon as we can **
·      Mixed (upper and lower) case characters.
·      Not found in any dictionary (English or foreign language).
·      Unrelated to personal information someone could discover about you,
such as your name or the name of a family member, or your address, phone number, login name, social security number, 
brand of automobile, or favorite pastime. 

Three Easy Ways to Select a Secure Password
·      Choose a favorite quotation, book title, song, or poem, and use the
first letter of each word, mixed with digits you can remember. For example, the quotation ³Imagination is more 
important than knowledge² - Albert Einstein mixed with multiples of 2, might become ³iimitk2468AE,'' or ³24IimitkAE68.²
·      Alternate between a random consonant and vowel to produce a nonsense
word that can often be pronounced. For example, ³hikupwaso.² Now mix the case of the letters and add a few digits. For 
example, ³hikup79WASO² or ³HIKUPwaso79.² 
·      Choose two or more shorter words and concatenate them together with number(s)
between them. For example: ³booK451BradburY.² or 4booK5bradburY1"
 
Go ahead and Write it down
Effective passwords may initially be harder to remember, especially over a holiday break. Go ahead and write it down 
and store it with your money or your credit cards and other ³valuables.²  Just don¹t put your new password on a post-it 
or calendar near your computer while you¹re away. Starting in 2004, everyone will be required to change their password 
about once per quarter (every 120 days).

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: