Good Security Behaviour

Here are some tips:

• Choose good passwords; &
• All users accounts will either have passwords or be locked.

Choosing good passwords is a double-edged sword: You want users to pick passwds that are difficult to guess, yet easy to remember. Difficult to guess means that the passwd should not be something associated with the user (such as names of siblings, children, dogs, car license plates, something that the user enjoys doing, etc) If this type of passwd is chosen, anyone who even casually knows the user may be able to guess the user's passwd.

Good passwd choices should also not include dictionary (in any language!) words. Programs such as Crack will easily guess dictionary words and passwds based on them. For example, using g1zm0s as a passwd is a poor choice because it is based on the dictionary word gizmos. Even more complex variations make poor choices! For instance, l8rd00dz is based upon later dudes.

One way to select a difficult-to-guess passwd is to remember a sentence, such as: The two foxes jumped over the brown fence. From this sentence, there are a number of ways to derive passwds; here are two examples. The first, T2fjotbf, comes simply by taking the first letter from each word, except for the word two, which is replaced by the number 2. The second, h2ouvhre, is obtained by taking the second letter of each word, except again for the word two. Use your imagination to come up with other more sophisticated schemes. The point is to encourage choosing difficult-to-guess, but easy-to-remember passwds.

In our [het.brown.edu] network, the guidelines are:

• It [the passwd] should be -- at least! -- 8 characters long;
• Use uppercase and lowercase letters;
• Use ``mixed characters'' (just not on characters 1 nor 8 of the passwd -- due to easiness of cracking), such as numbers, brackets (common, square, curly), ``special signs'', such as !, @, -, #, %, <, >, ?, /, |, etc
• Under absolutely no circunstances use a passwd that you already have in use somewhere else (e.g., in the physics.brown.edu domain, your bank account, etc) or some older passwd, for that matter!

As an example of the above guidelines, something like, <I@aP7*b!>, would work (this passwd came from taking the ``expectation value'' of I am a Physics faculty at Brown!, using proper lowercase, uppercase, special symbols, etc!).

We (the people who are presently managing the het network) reserve ourselves the right to lock any account that fails to meet these guidelines or that has a ``weak'' passwd, where ``weak'' is defined by ``cracked by us''.

Gerald S. Guralnik: gerry@het.brown.edu
Dmitri Petrov: petrov@het.brown.edu
Daniel D. Ferrante: danieldf@het.brown.edu