Protecting Your Password

Each year, thousands of computers around the world are illegally accessed by unscrupulous individuals, known as hackers, who look for vulnerable systems that they can infiltrate. The results of these attacks can range widely from mildly inconvenient to debilitating for the hacker's victims. According to a report recently issued by the White House (http://www.whitehouse.gov/pcipb/), computer users in higher education are especially vulnerable to security attacks, because many hackers search for computer networks that provide access to sensitive research or to government-related information. Hackers also target the high speed connectivity available in university systems to conduct illegal trading of copyrighted materials and to launch Denial of Service (DOS) and other similar attacks that can impact large numbers of Internet users. According to the report, all computers, including those used in the largest organizations in the world, can be compromised by hostile attacks. These security breaches, however, can often be avoided by taking a number of preventive steps. One of the simplest of these is to create an effective password. An effective password is one that is difficult for an intruder to guess; it should be as long as possible and should contain at least one alphabetic, one numeric, and some non-alphanumeric characters like @, #, and %.

"Guessing weak passwords is one of the ways hackers are able to gain access to a system," says Kathleen Kimball, director of ITS Security Operations and Services (SOS). "Password security should be taken as seriously as a PIN number for your ATM card. If you don't protect your password, you could be making it very easy for an unscrupulous person to gain illegal access, not only to your system, but to other Penn State networks, including high-profile University departments conducting sensitive research. By protecting your password, you are protecting the University."

Avoid the obvious! Here are some simple rules to follow when creating passwords:

• Do not use a password that includes your name, user ID, license plate, simple patterns (such as qwerty, 12345, etc.), phone number, street address, or any information about you that is easily available to others. In addition, do not use any of the above examples spelled backwards.
• Do not use words that are found in the dictionary. Both English and foreign words can be easily found by hackers running a password cracking program against the target machine.
• The more characters you use in your password, the better. The number of possible combinations increases exponentially with each additional character. Passwords should be at least six characters in length.

  All computers can be compromised by hostile attacks. These security breaches, however, can often be avoided by taking a number of preventive steps and one of the simplest of these is to create an effective password.

• One good password choice is an acronym of a quotation important to you. For example, "Education's purpose is to replace an empty mind with an open one" would become, "epi2raemwaoo".
• Never reuse an old password. Always create a fresh and new password to avoid the possibility of using an old password that has been compromised.

When accessing a computer, use common sense:

• Log off the computer when you are done. If you don't log off, somebody else can use your active session and abuse your privileges. This is especially important if you log in to a shared environment such as a lab.
• Lock your workstation. Any time you leave your desk or residence hall room, be sure to secure your workstation. Be sure to log off your system. Windows NT, 2000, and XP users can press Ctrl-Alt-Del and select the lock computer option.
• Avoid saving passwords in file transfer, Web browsers, and e-mail programs. Saving the passwords makes logging in easier, but your password is written to a file on your hard drive where intruders can find it, allowing them to view, modify, or destroy your files. Taking a few seconds to enter your password manually is worth the time and effort.
• Send data online only over a secure connection. If you have to enter confidential data in a form (e.g., credit card number, social security number, etc.) always check to see if the data will be transferred over a secure connection. Look for a closed padlock symbol in your browser's status bar. A closed padlock means the information will be sent in encrypted form.
• Never share your password with anyone. Once you share your password, you lose control over how your account is used, even though you are still responsible for anything done in your name. Sharing your password is a violation of University policy AD20. Beware of anyone claiming to need your password. Penn State system administrators, employees, or peers should never ask for or be given your password.
• Do not allow others to look over your shoulder as you are typing in a password.
• Never leave your password written on a post-it note or any other piece of paper that can be easily located on your desk, in your wallet, or even in a day planner or a PDA. Do not store unencrypted passwords in a file on your computer.
• Change all of your various passwords frequently (at least every three months). Using the same password for an extended period of time gives intruders more time to crack your password.
• Do not use the same password on multiple systems or applications. If someone guesses a password for one, you don't want them to have access to all your systems and applications.
• Turn off filesharing. If you have to share files, never include passwords, credit card numbers, or any private information. Protect the shares with passwords or restricted permission settings. Be sure to turn filesharing off as soon as you finish sharing any files.

Safe computing is an ongoing task, and a strong password is only one element of a variety of procedures students, staff, and faculty should employ to ensure that their systems are protected and secure. Passwords need to be used along with other means of security that include updated anti-virus software and a personal firewall such as ZoneAlarm or Symantec's Norton Personal Firewall (see http://www.zonelabs.com and http://www.symantec.com/sabu/nis/npf/ to find out more about personal firewall protection).

Additional computer security information can be found on the Security Operations and Services web site at http://sos.its.psu.edu.