Password Policy
The login/password pair is the primary user authentication mechanism used
by both UNIX and Windows. It's the only way that your computer can verify your
identity, and as such should be protected.
UCLA is directly on the Internet (in fact, we invented it), and the only
thing that keeps the world out of your computer is that you know the password,
and they don't. As such, it's extremely important that you select a strong
password for all your computer accounts.
Use our random password generator to produce
a password conforming to the guidelines below, which will be very hard for
a hacker to crack.
Here are some guidelines:
- The longer your password, the better! You should use
at least 8 characters, and 10 truly random printable
characters give 65 bits of entropy which is the minimum to resist a
brute-force attack using modern computing equipment.
- Passwords which follow keyboard patterns (like ``qwertyuiop'') are weak
choices. Not only do hackers know the common ones, but this class
of passwords is vulnerable to ``shoulder surfing''. It's very obvious
to even a casual observer when a password like this is typed in.
- Never use dictionary words from any language as the whole or part of
your password. Most hacker programs are set up to try to guess dictionary
words, and they use extensive dictionaries from dozens of languages.
Even made-up languages (like Tolkien's Elvish) are vulnerable to
dictionary attacks, so don't use words from them either.
- A password consisting of only lower case letters is not secure. Hacker
tools these days are so good that a brute force guessing program can
break any 8 character lower case password.
The shareware cracker that we use to check users' passwords can do it
in thirty seconds, taking about 24 hours to do every user on PICnet.
If you mix in some CAPITAL LETTERS, some numerals, and
some punctuation, you'll
make the task of cracking your password very difficult. For use on
older Windows systems, several of the first seven letters particularly
need to be other than lower case.
- Don't use personal information for part or all of your password. This
means you should not use your name, your mother's name, your pet's name,
your license plate number, your Social Security number, your phone number,
your office number, your place of birth, or your shoe size.
- Many people think that changing the letter O to 0 (zero) or the letter l
to 1 (one) makes a password secure. Don't believe it; hackers know all
about this trick, and their cracking programs check for it.
- You should absolutely not use the same password for all your authentication
needs. If you have accounts on many machines, use different passwords
on each. Many computer breakins are traced back to a single compromised
password which was used on multiple machines.
- If you have to write down your password, you should keep it secure. Don't
put it on a Post-it note on your monitor, or write it on the blackboard.
Keep it on a piece of paper, and either lock it up or carry it with you.
- No matter how good your password is, you should still change it every
3-6 months. There are just too many ways that passwords can be exposed,
and even the strongest password has a limited useful life. On Mathnet
and PICnet you will receive a mail message if your password is too old.
- Never give anyone your password. They should get their own account!
Last Updated: 2013-09-22 by jimc