Secure Passwords

This document provides tips on creating good passwords, provides background on why strong passwords are important, provides an overview of Minnesota State Colleges and Universities' system guideline on passwords, and answers some common questions about the guideline itself.

Table of Contents

   Introduction

Passwords allow you to authenticate, or prove your identity, when you access information, services, and resources in the computing environment. Every person in the system has access to at least some sensitive, nonpublic information, such as his or her own contact information and grades. Staff and faculty also have a business need to access other people's nonpublic information. If we didn't require passwords, literally anyone could act as you or assume your identity.

Think of all the information you store on your computer and your college or university computing account. If someone else had your password, they would also have access to your electronic life including email, education records, class projects and your class registration and transcripts. A malicious individual with your password would be able to use your accounts to commit fraud, change a grade, steal, store illegal content, send spam, make threats, break into other systems and much more. If anything malicious or criminal is done with your account, evidence will place the burden on you to prove you are not the culprit.

Due to increased reliance on passwords for protecting sensitive data, System Guideline 5.23.1.1, Password Usage & Handling was passed in April 2008. This guideline was developed by a collaborative group of IT and security staff from around the system. It was reviewed by the CIO at each institution and approved by the System CIO. This group based this guideline on current best-practices, including information from the National Institute of Standards and Technology (see NIST 800-118, Guide to Enterprise Password Management [PDF], especially section three), Microsoft (see Strengthening Domain Policy Settings, especially table 13), OWASP (see Password Length & Complexity), and other institutions (see Penn State, University of Minnesota, and a study from University of Cambridge's Computing Laboratory [PDF]).

This FAQ includes additional information about the system guideline. Each question includes the relevant text of each requirement set forth in that guideline. If you have additional questions or concerns that are not addressed here, please speak with your CIO so that they may pass your question on to the Information Security Office so we may address them here.

   How do I choose a strong password?

Passwords must be at least eight characters in length and contain three of the four following character types:

  • Uppercase alphabetic characters (e.g. A-Z)
  • Lowercase alphabetic characters (e.g. a-z)
  • Digits (i.e. 0123456789)
  • Special characters (i.e. ~!@#$%^&*()_+-=<>?{}|[]\;':",./)

You can visit the free Password checker from Microsoft by clicking on the link and typing a few example passwords. The this checker should indicate "Strong" for any password that satisfies System Guideline 5.23.1.1.

Passwords should not:

  • Be restricted to a maximum length that limits the ability to use passphrases, (i.e. 8-40 characters is better than 8-10 characters).
  • Be a single word that can be found in any dictionary, even if you add a number to the beginning or the end, (e.g. Password1).
  • Be a word that only uses simple character substitution, (e.g. C00k13 instead of Cookie).
  • Be based on any publicly available information such as user ID, family member's name, birthday, etc.
  • Be based on a keyboard pattern (e.g. asdf1234) or duplicate characters (e.g. aa11BB)

Passwords should use one or more of the following techniques:

  • Combine multiple password-creation techniques. For example, character substitution plus additional characters: C_0ok^i3.
  • Be composed of multiple words. For example, My=furr3y*d0g-F1do.
  • Be based on information known only to you. For example, a quote from your favorite poem or book: 0!C4pta1n,myC@ptAin
  • Be based on something that makes you laugh. For example, MyM0therf0rg0t_myB1rthday!
  • Be composed of punctuation and initial characters of each word of a phrase known to you. For example, "We hold these truths to be self-evident, that all men are created equal," becomes "Whtt2Bs-e,tamace,". This technique is effective with your favorite book, your own writings, etc.
  • Be composed of part of, or a whole sentence. For example, "We.the,Pe0ple.0f,the.United,5tates". This technique is also effective with your favorite book, your own writings, etc.
  • Be composed of a complete, proper sentence. For example, "My dog Fido is black." (Note that not all systems support a space character in the password.)
  • Use the concept of shocking nonsense, outlined here.

While some of these recommendations may seem extreme, the longer examples of passphrases are quite often easier to recall and easier to type than a random eight-character password. Adding length beyond the minimum also exponentially increases the strength of your selected password. Additionally, using a password safe not only prevents you from losing passwords, but they enable you to use arbitrarily long and complex passwords if you so choose, so long as you still set and remember a good passphrase to protect your "keychain" of passwords.

   Why can't I share my password?

Subpart A. Password protection. Users must protect their passwords from unauthorized use and refrain from sharing passwords with others.

This requirement from the guideline is a reiteration from the requirements set forth in the Acceptable Use system procedure. As users within the Minnesota State Colleges and Universities, we are given access to different systems like email or Desire2Learn, but we are responsible for protecting that access to prevent abuse. If an individual shares their password with another person, they have just given that person access to data and information for which they are not authorized. Additionally, the individual that shared their password is still liable for any actions taken with their account.

   What is a "strong password"? Why can't I just use my dog's name for a password?

Subpart B. Strong Passwords. Users must use a password or passphrase that is a minimum of eight characters and must include a minimum combination of two character types and should include a combination of 3 character types such as: numbers, special characters, and lower and upper case letters.

A password is a combination of letters, numbers and "special characters" that is known only to the account-holder and the system or application used by the account-holder. A strong password is one that holds a high degree of entropy. That is, there is a high degree of randomness in the value of that password. Put more simply, a strong password is one that is impossibly hard to guess. A password of "truck" holds very little entropy, whereas "CAg1DI5`b1P:UeIv;H" holds a very high degree of entropy.

We don't allow a simple word like "truck" or "fido" as a password because this would literally take seconds for a hacker to guess using widely available tools. However, we don't require a completely random password, either. Random passwords are extremely difficult to recall, which makes them a usability nightmare. For a password to be usable, then, we need both randomness and memorability. Thus, the user selects their password, but we must require a minimum length and minimum complexity. This results in a longer password with many, many more potential values, which will thwart a guessing attack. [1]

To balance the requirement for security with the requirement for usability, the guideline development group settled on what is probably the most common set of requirements: a minimum length of eight characters combined with a complexity requirement of three of the four types of characters available. These requirements are also commonly enforceable in the systems and applications around the colleges and universities.

   Why do I have to change my password? I just memorized my old one!

Subpart C. Required Changes. Passwords or passphrases must be changed at least every 180 days and should be changed at least every 90 days.

Requiring password changes every six months will further reduce the risk that someone who attempts to get your password will be successful, and will prevent others who may have your password from using your account for nefarious purposes. (Or any other unauthorized purpose, for that matter!) Periodic password changes will also stop any unknown and unauthorized use of your account. Essentially, if an attacker was trying to guess your password, our minimum password requirements mean the attacker will require more than six months to successfully guess your password. By that time, your password will have changed.

We've kept that requirement to every six months, because we do realize the difficulty incurred by frequent password changes. This requirement also reduces the risk that a user's account is abused if they've previously shared their password. For example, if a professor shared their password with a student in tech support, and that student later attempted to change a grade in that professor's course, the chances that this professor's password is still valid is greatly reduced.

   Why is my account locked out after I mistype my password a few times?

Subpart D. Lockout for Failed Attempts. College or university and Office of the Chancellor system administrators should establish a standard for locking a user's account if the user fails to login to the system within a specified number of attempts. The lockout may be for a designated amount of time or until the account is administratively reset.

This requirement is directed at IT departments rather than the individual. By locking out an account for a short period, (usually 30-60 minutes) a hacker trying to actively guess a password will not only be considerably slowed, but this increases the chance that IT staff can identify that individual while they're trying to attack the system. Unfortunately, this requirement is sometimes technically infeasible depending on the application or system in question. If this requirement were 100% implementable, the risk of brute-force password guessing attacks would be greatly reduced.

   Why can't I memorize my password and just change a number at the end?

Subpart E. Password Administration. College or university and Office of the Chancellor system administrators should enable password history, limiting the ability to re-use passwords.

By regularly changing your password, and ensuring that each new one is not similar to previous passwords, you greatly reduce the risk that your password could be guessed or cracked. Password reuse is also prohibited to prevent users from changing their password, then changing it back to their old one.

Some users do like establishing a pattern, but avoiding a pattern does increase your security. If your passwords followed a pattern and an attacker learned your password at one point in time, they could determine your password any time. For example, if an attacker learned your password was Winter09, they would have some confidence that your next password would be Spring10. (This pattern is extremely common and should be avoided.)

   What else can I do to remember all these passwords?

Use a password "safe".

A password safe is a virtual safe that you can use to securely store your usernames, passwords, and other information associated with your various online accounts. There are numerous free and commercial products available, but the most popular ones are probably Bruce Schneier's Password Safe and KeePass. Both have Windows versions. KeePass also has versions for UNIX, and Linux, as well as agents for iPhones, PocketPC, BlackBerry, Palm, and Android phones & PDAs. Password Safe also has a "U3" version, which lets you store your password safe encrypted on a thumb drive for portability, and there are ports that also support Mac users. Both Password Safe and KeePass are open source projects. Another option for Mac users is 1Password, which is a popular commercial package that also has an iPhone agent.

Write it down.

We briefly considered, but ultimately did not include "do not write this down" because some people may need to do so for a short period in order to learn a new password every six months. If you must write your password down, it should not be kept with your laptop, under your keyboard, taped to your monitor, etc. You wouldn't put your PIN on a note on your monitor, just as you wouldn't tape a $20 dollar bill to your monitor. You also wouldn't write your PIN on your ATM card or keep your PIN in your wallet. If you lost your wallet, you lose your ATM card and your PIN, which would enable the finder or thief to withdraw funds from your accounts. Your wallet is a good place to store a written password, however. Just don't write your username with it, or even label it as a password.

   Do PCI systems that process credit card purchases have different requirements?

A "PCI" system is one that stores or transmits credit card data. These systems have additional requirements. If you weren't aware of any of this, you can probably disregard this section.

Passwords for any system or network device covered by PCI-DSS must meet these following requirements:

  1. Minimum Length: 8 characters
  2. Change Frequency: Every 90 days
  3. Complexity: At least 3 of 4 types of characters
  4. Lockout: After 6 attempts, minimum 30 minute lockout
  5. No shared accounts
  6. No password reuse
  7. Inactivity time-out: 15 minutes

Footnotes

  1.    We calculate the relative strength of a password by examining its keyspace, or the total number of possible combinations. A PIN requires "4 numerals", and has a keyspace of 10,000 (or 104), meaning there are 10,000 possible combinations for a PIN. Without the requirement of an ATM card to strengthen this authentication, (and the ATM machine that will keep your card after several incorrect guesses,) this PIN could realistically be cracked in a matter of minutes.

    The keyspace for the new requirements is 948, or about 6.096 x 1015, which makes cracking within 6 months infeasible. If an attacker were able to achieve a sustained rate of two million attempts per second, it would take almost a century to exhaust the keyspace.

    The calculation: (948 possible passwords / 2*106 attempts per second) / 60 seconds / 60 minutes / 24 hours / 365 days ~= 96.7 years. If this attacker had 100 computers, it would still take almost a year.

    While there are ways to speed this up, the reality is that many places where authentication takes place would allow far fewer attempts per second, perhaps not even 1/10th that number.