Protecting Your Password
By Kathy Deck
Each year, thousands of computers around the world
are illegally accessed by unscrupulous individuals, known as hackers,
who look for vulnerable systems that they can infiltrate. The results of
these attacks can range widely from mildly inconvenient to debilitating for
the hacker's victims. According to a report recently issued by the
(http://www.whitehouse.gov/pcipb/), computer users in
higher education are especially vulnerable to security attacks, because
many hackers search for computer networks that provide access to
sensitive research or to government-related information. Hackers also target
the high speed connectivity available in university systems to conduct
illegal trading of copyrighted materials and to launch Denial of Service (DOS)
and other similar attacks that can impact large numbers of
Internet users. According to the report, all computers, including those used in
the largest organizations in the world, can be compromised by hostile
attacks. These security breaches, however, can often be avoided by taking a
number of preventive steps. One of the simplest of these is to create
an effective password. An effective password is one that is difficult for
an intruder to guess; it should be as long as possible and should contain at
least one alphabetic, one numeric, and some non-alphanumeric
characters like @, #, and %.
"Guessing weak passwords is one of the ways hackers are able
to gain access to a system," says Kathleen Kimball, director of
ITS Security Operations and Services (SOS). "Password security should
be taken as seriously as a PIN number for your ATM card. If you
don't protect your password, you could be making it very easy for an
unscrupulous person to gain illegal access, not only to your system, but to other
Penn State networks, including high-profile University departments
conducting sensitive research. By protecting your password, you are protecting
Avoid the obvious! Here are some simple rules to follow
when creating passwords:
- Do not use a password that includes your name, user ID,
license plate, simple patterns (such as qwerty, 12345, etc.), phone number,
street address, or any information about you that is easily available to others.
In addition, do not use any of the above examples spelled backwards.
- Do not use words that are found in the dictionary. Both
English and foreign words can be easily found by hackers running a
password cracking program against the target machine.
- The more characters you use in your password, the better.
The number of possible combinations increases exponentially with
each additional character. Passwords should be at least six characters
|All computers can be
compromised by hostile attacks. These security breaches, however, can often be
avoided by taking a number of preventive steps and one of the simplest of
these is to create an effective password.|
- One good password choice is an acronym of a quotation
important to you. For example, "Education's purpose is to replace an empty
mind with an open one" would become, "epi2raemwaoo".
- Never reuse an old password. Always create a fresh and
new password to avoid the possibility of using an old password that has
When accessing a computer, use common sense:
- Log off the computer when you are done. If you don't log
off, somebody else can use your active session and abuse your
privileges. This is especially important if you
log in to a shared environment such as a lab.
- Lock your workstation. Any time you leave your desk or
residence hall room, be sure to secure your workstation. Be sure to log off
your system. Windows NT, 2000, and XP users can press Ctrl-Alt-Del and
select the lock computer option.
- Avoid saving passwords in file transfer, Web browsers, and
e-mail programs. Saving the passwords makes logging in easier, but
your password is written to a file on your hard drive where intruders can find
it, allowing them to view, modify, or destroy your files. Taking a
few seconds to enter your password manually is worth the time and effort.
- Send data online only over a secure connection. If you have
to enter confidential data in a form (e.g., credit card number, social
security number, etc.) always check to see if the data will be transferred over
a secure connection. Look for a closed padlock symbol in your
browser's status bar. A closed padlock means the information will be sent in
- Never share your password with anyone. Once you share
your password, you lose control over how your account is used, even though
you are still responsible for anything done in your name. Sharing your
password is a violation of University policy AD20. Beware of anyone claiming
to need your password. Penn State system administrators, employees,
or peers should never ask for or be given your password.
- Do not allow others to look over your shoulder as you are
typing in a password.
- Never leave your password written on a post-it note or any
other piece of paper that can be easily located on your desk, in your
wallet, or even in a day planner or a PDA. Do not store unencrypted passwords in
a file on your computer.
- Change all of your various passwords frequently (at least
every three months). Using the same password for an extended period
of time gives intruders more time to crack your password.
- Do not use the same password on multiple systems or applications.
If someone guesses a password for one, you don't want them to have access
to all your systems and applications.
- Turn off filesharing. If you have to share files, never
include passwords, credit card numbers, or any private information. Protect
the shares with passwords or restricted permission settings. Be sure to
turn filesharing off as soon as you finish sharing any files.
Safe computing is an ongoing task, and a strong password is
only one element of a variety of procedures students, staff, and faculty
should employ to ensure that their systems are protected and secure.
Passwords need to be used along with other means of security that include
updated anti-virus software and a personal firewall such as ZoneAlarm
or Symantec's Norton Personal Firewall (see
http://www.symantec.com/sabu/nis/npf/ to find out more about
personal firewall protection).
Additional computer security information can be found on
the Security Operations and Services web site at
Newsletter Home Page