Body
Purdue IT has updated the password-changing program to enforce stricter logon passwords. The passwd command on all Solaris workstations and servers includes a password tester. If the password tester thinks that the password would be too easy to guess, then it will describe what is wrong with the newly entered password and abort the password change.
There are very good reasons to have a good password in place. Computers in Engineering are directly connected to the Internet. There is a constant stream of hackers trying to gain access to your files, and the only thing stopping them is good passwords that are hard to guess.
Below are descriptions of bad passwords and good passwords. Following that is a section describing some tools that you can use to select a new password and a password testing utility that judges a potentially new password on the same criteria as the passwd command.
What Are Bad Passwords?
There are lots of passwords that should be avoided. Here are a few examples:
- Avoid passwords based on a word in the English dictionary, or in the dictionary of any other language. A very good example is not to set a password of "password".
- Avoid passwords based on the reverse of a word in the dictionary. Don't set a password of "drowssap" (which is "password" spelled backwards).
- Avoid passwords that are too short. Always set a password that is between eight and fifteen characters long.
- Avoid using passwords that have too many of the same characters. Don't set a password of "mmmmmmmm" or "12345678".
- Avoid using names. Don't set a password based on your first name, middle name, last name, login name, pet's name, computer's name, etc.
- Avoid anything that is familiar to you that someone else might know. Don't set a password based on your street address, student ID number, favorite rock band, office location, or most colorful Pokémon character.
- Avoid substituting numbers for characters. Don't change "E" to "3", "O" to "0", "I" to "1", etc. Most hackers know to try these combinations of changes when trying out passwords.
Suggestions For Good Passwords
Very simply, try making up a password that is at least eight characters long, that includes all three types of characters: Letters, Numbers, and Symbols. By including all three types of characters, the number of combinations of passwords grows quite large, leaving it difficult to guess the password by brute force search. Purdue systems accept passwords between 8 and 15 characters (inclusive).
One method is to string a series of numbers and words together, and pad it to 15 characters: Jack+Jill-^Hill; or J.Crew-Shirts!!!
Another method is to use a sentence that you can easily remember and then use the first character of each word to form your password. Examples are:
I graduate from Purdue in two years! = IgfPi2y!
My friend lives at 123 Main Street, Lafayette = Mfl@1MSL
Generating a random password
In order to try to select a good, unguessable password, there is a utility to assist in creating one at random. The utility is called genrpass, and is available on Engineering Computer Network Linux and Solaris computers.
genrpass is based on an ANSI standard X9.17. It generates a password based on one-way DES encryption. It starts out with a random seed number, combines that with a set of two other seeds, and produces the password from the result. The result then becomes the seed for the next password generation.
See the manual page for genrpass for more information.
Testing passwords
Selecting a password that will be acceptable to passwd may be difficult. Instead of entering the password several times, it is easier to test the password ahead of time with a password testing program called passtest.
passtest accepts passwords, one line at a time, and outputs the results. If the result says ok, then the password would be a candidate for entering into the passwd command. If the password is unacceptable, the problem description will be shown.
See the manual page for passtest for more information.