How To Choose a Good Password Phrase

How To Choose a Good Password Phrase Introduction A good Passphrase Recipe General Passphrase Guidelines Do's: Don'ts: What characters can I use? Unix, Linux, Solaris, Wikis Windows Changing your password

Introduction

Why Passphrase instead of password? Several reasons:

• They are longer, and harder to "brute force";
• They are easier to remember than cryptic random passwords;
• They are easier to type.

Since June 2010 this (NRAO's public Wiki) has had the ability to support passphrases of up to 255 characters.

This page provides basic guidelines on choosing a good passphrase, as well as instructions on how to change your passphrase on this wiki, as well as under UNIX and Windows. Remember that your passphrase is our first line of defense against intruders. It benefits everyone if you take a few minutes to choose a really good passphrase that you can remember, but that other people can't easily break.

You should never tell anyone else what your passphrase is, or put it in a file, or an unencrypted email message. NRAO System Administrators will NEVER ask for your passphrase (or password) (ever!). If you must give someone else your passphrase for some unusual reason, you need to change it immediately after they have finished using it (this is common sense, and our security policy).

Today's password- and passphrase-"cracking" programs are extremely sophisticated, so simply appending numbers or capitalizing words or names in some logical way to a single password won't make it more secure. These programs also check for simple substitutions such as 0 (zero) for O, 1 (one) for I, and $ for S. Characters other than letters and numbers can help to make your passphrase harder to crack.

For our collaborators: It is NRAO policy to require that your passphrase on our systems be different from that at your home institution.

For our staff: don't use your work password for your home computers, or any accounts you have elsewhere (other University accounts, etc.)

A good Passphrase Recipe

Because most of our systems including this Wiki can support very long passwords, it makes sense to use a phrase instead (yes, you can have a space, or several, in a password/passphrase). Here's a good recipe for coming up with such a phrase.

1. Think of a memorable phrase, for example I like to garden. Yummy cucumbers
2. Now deliberately mis-spell something in the phrase: I lkie to gardan. Yummy cucumbers
3. Optionally replace a word: I lkie to gardan. Mummy cucumbers
4. Change case in one or two characters: I lkie to gardan. Mummy CuCumbers
5. Add some random non-alpha characters or numbers I l7kie to gardan. Mu#my !CuCumbers

Many of us have been using passphrases in place of passwords for years, and in most cases we find them easier to remember and (surprisingly) easier to type than the randomly generated short 8-character passwords that one encounters elsewhere.

General Passphrase Guidelines

Do's:

1. Do make a passphrase you can (eventually) remember without writing it down.
   • If you do write it down, make sure to keep it in a safe place (wallet, etc.)
2. Do make your passphrase at least eighteen (yes, 18) characters long.
3. Do make use of at least three of these:
   • uppercase letters
   • lowercase letters
   • numbers
   • punctuation and extra characters (,.;:'"!@#$%^&*()_-+=)
4. Do change your passphrase immediately if you think someone else may have found out what it is (e.g., via shoulder surfing)

Don'ts:

1. Don't use a single dictionary word by itself (in any language). This includes profanities and colourful metaphors!
2. Don't use a well known phrase, e.g., Every Good Boy Deserves Favour
3. Don't use a place, a person's or pet's name, or common acronyms.
4. Don't use your phone number(s) just by itself; .
5. Don't use anything simple that someone might think of in relation to you or your work
6. Don't use a dictionary word with only one extra character before or after it.
7. Don't combine "unrelated" words to form the password, or use only a common phrase (in any language)
8. Don't tell anyone else your passphrase (no exceptions! System Administrators will NEVER ask for it).

Examples of things NOT to use:

• Passphrases
  • Thank goodness it's Friday (common phrase, unaltered)
  • Oh Be A Fine Girl... (the Main Sequence stellar types)
  • My phone number is 296-0211 (too easy for an intruder to guess)
• Passwords
  • TGIF (common acronym)
  • OBAFGKM (the Main Sequence stellar types)
  • 3c273 or NGC2167 (common Astronomy sources)
  • NCC1701 (popular Science Fiction acronyms or starships)
  • weLLcar (combining unrelated words in too simple a manner)
  • Lizards% (simple word, one extra character)
  • 2960211 (phone number)
  • tabrotr or tabmotr (common phrase: There's A Bathroom/BadMoon on the Right/Rise)
  • Msldn=B! (the example in the previous section); we will be checking for it!!!

What characters can I use?

This is different for different computers. For some systems, the < and > symbols cause problems (_e.g., PeopleSoft).

Unix, Linux, Solaris, Wikis

All characters are valid except:

• <Backspace>, <Tab>, <Enter>, <Delete>, @, #, and meta characters (e.g., holding down the <Control> and/or <Alt> key while subsequently pressing another key)

Windows

This is for any service that uses Active Directory (AD). Valid characters are:

• Uppercase and lowercase letters: A-Z, a-z
• Numbers: 0-9
• These special characters: @ # ! " $ % ' ( ) * + , - . / \ : ; < = > ? [ ] ^ _ ` { | } ~

Changing your password

• Close your office door and do it alone.
• Wikis:
  • You can go to ChangePassword or ResetPassword right now for this wiki
  • For the staff wiki, because it uses your Windows AD account for authentication, go to https://staff.nrao.edu/ to change it there.
• Windows: ChangingWindowsPasswords has what you need to know.
• UNIX or Linux:
  • Go to the staff.nrao.edu server and click on the Change my Passwords link.
  • Or, from the command line, if using NIS, use the yppasswd command, then follow the prompts to enter first your old and then your new password.
    • Just use passwd for a standalone system like a laptop. The behaviour is similar.
• For extra security under Unix, perform the password changes in an xterm, and use <control-LeftMouse> to secure the keyboard while you enter passwords; this locks the keyboard to the xterm, and no other X application can grab the keyboard focus while you're doing this.

-- PatrickMurphy - 2010-07-16