Password Policy

The login/password pair is the primary user authentication mechanism used by both UNIX and Windows. It's the only way that your computer can verify your identity, and as such should be protected.

UCLA is directly on the Internet (in fact, we invented it), and the only thing that keeps the world out of your computer is that you know the password, and they don't. As such, it's extremely important that you select a strong password for all your computer accounts.

Use our random password generator to produce a password conforming to the guidelines below, which will be very hard for a hacker to crack.

Here are some guidelines:

• The longer your password, the better! You should use at least 8 characters, and 10 truly random printable characters give 65 bits of entropy which is the minimum to resist a brute-force attack using modern computing equipment.
• Passwords which follow keyboard patterns (like ``qwertyuiop'') are weak choices. Not only do hackers know the common ones, but this class of passwords is vulnerable to ``shoulder surfing''. It's very obvious to even a casual observer when a password like this is typed in.
• Never use dictionary words from any language as the whole or part of your password. Most hacker programs are set up to try to guess dictionary words, and they use extensive dictionaries from dozens of languages. Even made-up languages (like Tolkien's Elvish) are vulnerable to dictionary attacks, so don't use words from them either.
• A password consisting of only lower case letters is not secure. Hacker tools these days are so good that a brute force guessing program can break any 8 character lower case password. The shareware cracker that we use to check users' passwords can do it in thirty seconds, taking about 24 hours to do every user on PICnet. If you mix in some CAPITAL LETTERS, some numerals, and some punctuation, you'll make the task of cracking your password very difficult. For use on older Windows systems, several of the first seven letters particularly need to be other than lower case.
• Don't use personal information for part or all of your password. This means you should not use your name, your mother's name, your pet's name, your license plate number, your Social Security number, your phone number, your office number, your place of birth, or your shoe size.
• Many people think that changing the letter O to 0 (zero) or the letter l to 1 (one) makes a password secure. Don't believe it; hackers know all about this trick, and their cracking programs check for it.
• You should absolutely not use the same password for all your authentication needs. If you have accounts on many machines, use different passwords on each. Many computer breakins are traced back to a single compromised password which was used on multiple machines.
• If you have to write down your password, you should keep it secure. Don't put it on a Post-it note on your monitor, or write it on the blackboard. Keep it on a piece of paper, and either lock it up or carry it with you.
• No matter how good your password is, you should still change it every 3-6 months. There are just too many ways that passwords can be exposed, and even the strongest password has a limited useful life. On Mathnet and PICnet you will receive a mail message if your password is too old.
• Never give anyone your password. They should get their own account!