The University of North Carolina at Chapel Hill
College of Arts and Sciences
Department of Computer Science

Information on passwords 

reviewed 9/20/05 by John Sopko


This article provides some general rules on passwords, specific 
restrictions on Computer Science passwords, and tips on choosing
passwords.


GENERAL RULES ON PASSWORDS

Your account password is the key to accessing and modifying all of your 
files.  If another user discovers your password, he or she can delete all 
your files, modify important data, read your private correspondence, and 
send mail out in your name.  You can lose much time and effort recovering 
from such an attack.  If you practice the following suggestions, you can 
minimize the risk.

1)  NEVER give another user your password.  Doing so is a violation of 
    the account agreement on Computer Science accounts.  You can change 
    permissions and have groups set up if you need to share access with 
    others.  

2)  Never write down your password.  If you feel you must write it down
    to remember it, then keep the password in a safe place, like in your
    wallet.  Another person can read it from your blotter, calendar, etc. 
    as easily as you can.

3)  Never use passwords that can be guessed, either from personal 
    information about you (birth date, etc.) or from an on-line dictionary.
    As computers become more powerful, it is possible to run programs that 
    try to crack your password.  The intruder compiles a set of words 
    (such as those in the UNIX dictionary) and tries each one on each 
    account on the machine.  A person with local knowledge can also try 
    your spouse's name, pets' names, etc.  Your account is vulnerable to 
    this type of cracking unless you choose your password carefully.

4)  Change your password regularly.  For this you use http://www/cs.unc.edu/webpass.
    You can do this from anywhere, and it will change your password on all 
    UNC Computer Science systems.

5)  Vary the system by which you choose a password.  For example, don't 
    repeatedly use combinations like BLUEgreen and REDyellow.  If an 
    intruder discovers your pattern, he or she can guess future passwords.
    See below for an example of a good choosing algorithm.

6)  Don't use the same password on machines outside this department.  
    This way if your password is compromised it can not be used for
    other purposes.


SPECIFIC RESTRICTIONS ON COMPUTER SCIENCE PASSWORDS

The following rules are enforced by cspasswd, the program used to 
change passwords on our UNIX systems:

 - Must be 8 or more characters
 - Must share less than six, or length of your
   login id, consecutive characters with your login
 - First 8 characters must contain at least 2 letters
 - First 8 characters must contain at least 1 digit
 - Must contain at least one of: !@#$%&*+={}?<>"'
 - Must not start with a hyphen  (-)
 - Must not end with a backslash (\)
 - Must not contain a double quote, (")
   except as the last character
 - Must not be a previous or current password
 - Must vary by at least 3 characters from
   your current password


CHOOSING A PASSWORD - DO'S and DON'TS

Beyond the restrictions imposed by the webpass program, there are some
do's and don'ts for choosing passwords that will help you to have a 
safer password, i.e., one that is less likely to be guessed by a hacker.

DO NOT:

1)  Do not use abbreviations of common phrases or acronyms, e.g. asits9 
    (a stitch in time saves nine), wysiwyg  (what you see is what you 
    get), or tanstaafl (there ain't no such thing as a free lunch).

2)  Do not use common literary names such as Baggins, Popeye, etc.

3)  Do not use any password containing your login ID spelled backwards. 

4)  Do not use any password containing one of your names or initials, or 
    any combination thereof.

5)  Do not use any password involving personal data, such as your address, 
    maiden name, relatives' names (e.g. spouse and children first names), 
    pets' names, hobbies, favorite sports teams, etc.   Be sure your 
    password cannot be guessed from your .plan  file, or from the 
    Department communication list.

6)  Do not use any password consisting of sequences such as "abcdef".

7)  Do not use any password consisting of consecutive keys such as "qwerty".

8)  Do not use any password consisting of repeated sequences.

9)  Do not use any password given to you when your account was set up.


Listed below are some suggestions for choosing a good password.  The 
best passwords combine several of these suggestions.

DO'S:

1)  Use upper and lower case characters, digits and infrequently used 
characters such as _ and ^.  

2)  Create an acronym from an uncommon phrase (e.g. "After that time, I 
never slept late." could become "Att,Insl").  

3)  Drop letters from a familiar phrase (e.g. "drop-add period" could 
become "drp-adpD").

4)  Punctuate a short phrase (e.g. "I'm fine" becomes "[I]mfinE").

5)  Mix upper and lower case, as well as numbers, e.g. 
	"nanosecond" 		"naN02nd" [That's a zero] 
	"Piano Tuner" 		"piaN02nr"  [That's a zero] 

6)  Use homonyms or deliberate misspellings, e.g. 
	"Choo-choo Train" 	"22.twaan"
	"finalize" 		"vnylEyes"

7)  Mix up 2 or more separate words.  

The important thing to remember when you do this is to make sure that 
none of the pieces go together to form a word or number that can be 
looked up in a dictionary.  By using words and digits that are familar 
to you, but breaking them up into non-meaningful pieces you can produce 
a more memorable password.


See also "howto password-change-web" for info on how to run the
password-changing program in the CS department