Inside Iowa State

Inside Archives

Submit news

Send news for Inside to inside@iastate.edu, or call (515) 294-7065. See publication dates, deadlines.

About Inside

Inside Iowa State, a newspaper for faculty and staff, is published by the Office of University Relations.

October 21, 2005

Passwords that pass

by Samantha Beres

Those hackers out there don't sleep. These days, they have programs that can guess passwords in seconds, at least the weak passwords. And they continually probe machines to see if they can gain access.

Truth be told, all short passwords can be cracked, eventually. The new thing is to use "passphrases" in which you have the option to create a password that is more than 15 characters.

The hackers are looking to steal personal information like social security numbers, or for space to use as a distribution site.

"In most cases (on campus) they aren't interested in what is on the machine itself," said Mike Bowman, director of IT security and policies. Most compromised machines he has seen on campus have been set up to distribute materials, such as illegal distribution of copyrighted material.

Bowman said one way hackers gain access to a computer is through accounts on machines with poor passwords.

Hackers aside, there also is the risk of someone just looking over your shoulder to steal your password, or discovering that sticky note you have discreetly stuck somewhere in your office.

Dos and don'ts

Any way you cut it, the best way to protect your computer accounts and your own identity is to create a strong password and safeguard it.

For starters, here are some things NOT to do when you create your next password:

  • Stay away from dictionary words. Banana, reptile and God (apparently a very popular password) all are susceptible to password cracking programs. This also includes words spelled backwards. Don't stick words together, like lovehate. Also stay away from letter or number runs like qrstuv or 456789.
  • Don't use personal information. This includes your or your spouse's name, your pet's name, account names or numbers, address, birthdates and phone numbers. If someone is trying to guess your password, they may use this sort of information.

Here are some tips for creating a strong password:

  • Include a mix of upper and lower case letters, numbers and other characters. This will fool the dictionary guessers and could look something like this: 3BmcHtR%.
  • Use at least six characters. The longer a password is, the harder it is to crack or observe.
  • Create a password you can remember, and don't write it down. Though some people have several passwords and may have to write them somewhere, memory is the safest place for a password. Also pick one that can't be guessed. If your pet's name is muffin, then, obviously, muffin is not a great choice.
  • Use the first letters of an uncommon sentence, song, poem or expression as a base. For example, "You can't teach an old dog new tricks" becomes U(t@0dNt.
  • If your password can be longer than 15 characters, consider using a passphrase. This could be a line from a song or a book, or just a statement that is memorable to you. Don't pick a really obvious one. Spelling one of the words wrong such as "Youcantteachanolddognewtrix" will add to the safety.

Multiple accounts, multiple passwords

A good password should be unique to each account you hold. Someone gaining access to all of your accounts in one fell swoop could do more damage than if it were just one of your accounts. It's analogous to having one credit card stolen rather than your whole wallet.

Then there is the obvious: Don't tell anyone your password. Bowman points out that everyone in the university community has his or her own accounts. Therefore, there is no need to share an account - or a password with anyone. He added that if you have been using a computer in public and think a password has been exposed, change it. And change it anytime you think it's been exposed.

Summary

Use of "passphrases," a password that is more than 15 characters, will help protect your computer from hackers.