Password Security

DarkReading Cartoon End-User Security Prayer



Why Should I Care about Password Security?

Your computer account name and password may give you access to a variety of computing services on Duke networks depending on the capabilities of the individual computer or system you're using. If you are authorized to use one or more Enterprise Systems (such as SAP or SISS) your NetID and password give you access to those systems as well.


Every time you connect, you must provide the magic word; you must prove you are who you say you are. If someone else guesses or steals your password, he or she can access all of the information tied to that password. This could include access to your files, your e-mail, your funds, your personal information, and more, depending on what the password was supposed to protect. For example, having the password to your online bank account may allow someone to bill items to your credit card, transfer money from your account, etc. In short, an insecure password can easily wreak havoc in your life.


You will not be the only person affected by a stolen password. Other users on networks on the Internet could potentially be affected as well. Once an intruder with the necessary knowledge, experience, and tools gains entry to a system, he or she may be able to access and control other machines and systems on the same network and capture information about local users logging on to those machines. If these users then connect to other networks, the intruder has the potential to penetrate and control the remote systems to which the local users connect, thereby increasing the likelihood of a breach in the security of those systems as well.


Unfortunately, it does not take a skilled intruder to control a machine on which he or she has an account. Many of the tools required to gain control over a machine can be downloaded from the Internet and used with little or no knowledge of how they work. These so called, "Script Kiddies" may not have the knowledge necessary to break into a computer without help, but because of the availability of hacking tools and the large number of them, they can cause a great deal of trouble.



How Are Passwords Stolen?

Security experts at Carnegie Mellon University estimate that more than a million passwords have already been stolen on the Internet. One has to ask why this happens so frequently. Part of the answer is that hackers have many tools, such as dictionary programs and sniffers, to assist them.


A hacker will launch a dictionary attack by passing every word in a dictionary (which can contain foreign languages as well as the entire English language) to a login program in the hope that it will eventually match the correct password. The programs which perform dictionary attacks are often capable of trying simple permutations on dictionary words as well (such as trying them backwards).


A network sniffer installed on a computer can read every piece of data sent out from your machine across the network, including passwords. The ease with which a sniffer can find your password ensures that it is one of the first programs a hacker will run on a machine he or she has broken into. Network sniffers can mostly be defeated by using encrypted login services like SSH.


A large responsibility -- and, perhaps, a large portion of the blame -- falls on the users themselves. They willingly share their passwords. More important, users are too predictable in their choice of passwords. Left to their own devices, users often choose a password that is too short or too easy to guess.


Passwords are about identity. We tend to reveal ourselves in our passwords. We often choose the name or birth date of a loved one; we use our address, telephone number, or Social Security number; we use the name of a favorite artist, actor, or author. Or we are wise enough to avoid any personal references but choose a word that is ridiculously short, a dictionary word, a name or word spelled backward, or an alphabet or keyboard sequence. Just because we think a foreign word is obscure doesn't mean that it isn't in a dictionary somewhere. The point is that all of these types of words are easily guessed, which makes the job of password cracking straightforward.



What Are the Guidelines for Choosing a Password?

Some systems have programs that check the password strength and can disallow a poor choice, but not all systems at Duke have this capability. To avoid problems, follow these basic guidelines when choosing your password:


  • Use at least eight characters; the more characters, the better (as long as you can remember them). Some systems (including most Unix systems) allow you to use up to 63 characters, so you can be creative. The table below demonstrates how much harder it gets to guess a completely random password based on its length.
  • Make your password easy for you to remember but hard for someone else to guess. Picking letters from a phrase that's meaningful to you may be the source for a good password. In this way, your password is really a "pass phrase." ("Do you know the way to San Jose?" could be D!Y!KtwTSJ?)
  • Intersperse punctuation marks or symbols such as #, $, %, etc. Do not use a blank space.
  • Always use a mixture of upper- and lower-case characters.
  • Never write down your password; someone else might see it.
  • Select a unique password. Do not use a password that you are using for some other purpose, such as your PIN at the bank or your password to another system. This is especially important when choosing your Enterprise/acpub system password.


What Are Some Strategies for Choosing a Good Password?

Use lines from a childhood verse:
Verse Line: Yankee Doodle went to town
Password: YDwto#town


Use lines from a favorite song:
Lyric: How Much is that Doggie in the Window?
Password: H$itditw?


City Expression:
Chicago is my kind of town
Password: CimYKot!


Foods disliked during childhood:
Food: rice and raisin pudding
Password: ric&raiPudng

Note: Obviously, you shouldn't use any of the passwords used as examples in this document. Treat these examples as guidelines only.


How Can I Avoid a Bad Password?

Avoid passwords that would be easy for anyone to guess. Don't use:

  • Dictionary words (mackerel, dandelion, millionaire).
  • Foreign words (octobre, gesundheit, sayonara).
  • Simple transformations of words (tiny8, 7eleven, dude!).
  • Names, doubled names, first name and last initial (mabell, kittykitty, marissab).
  • Uppercase or lowercase words (MAGAZINE, licorice).
  • An alphabet sequence (lmnop) or a keyboard sequence (ghjkl;).
  • Very short words or just one character (dog, *, hi!, me, love).
  • Words that have the vowels removed (sbtrctn, cntrlntllgnc).
  • Phone numbers.
  • Numbers substituted for letters, like a zero instead of the letter O or a number 1 in place of the letter l.
  • Any portion of your username or account information


Transformation techniques: transformation techniques often generate easy to guess passwords and are not recommended. For example:


Technique: Transliteration
Illustrative Expression: photographic
Password: foTOgrafik

the problem here is that hackers with dictionaries are capable of automating the same transliteration techniques, automatically replacing 'ph' with 'f', 'c' with 'k' or visa-versa


Technique: Interweaving of characters in successive words
Illustrative Expression: iron horse
Password: ihrOrnSe

This is probably a better method than transliteration, however, it is still fairly for a hacker to have a program interleave two short dictionary words.


Technique: Substitution of synonyms
Illustrative Expression: coffee break
Password: jaVa*rest

This particular password is still just the concatenation of two short english words and would be fairly easy to find with a password cracking program.


Technique: Substitution of antonyms
Illustrative Expression: stoplight
Password: star$daRk

see above.


How Often Should I Change My Password?

It is time to change your password if:

  • Your password doesn't meet the criteria set out in the rules and strategies listed above.
  • You have told your password to anyone else.
  • You have written your password down anywhere.
  • You have visited another city or campus and logged on to the system from there without using an encrypted login program (e.g. SSH).
  • You are officially notified that your password does not meet current standards. Note that your administrator will NEVER tell you a new password to use, only that you should change your password.


How Do I Change My Password?

From a Unix Machine:

  1. Connect and log in to the system in your usual manner.
  2. At the Unix prompt, enter the command passwd and follow the prompts to change your password.

To change your NetID password via the web, you can use the OIT Self Service tool. You can also view the OIT video about how to change your password


What If I Forget My Password?

If you forget your password, all is not lost.


Campus users
You can use the self-service password reset application if you have previously set your challenge questions, or
Contact the OIT Service Desk at 684-2200 for assistance with enterprise systems.
Duke Medicine users
Contact the DHTS Help Desk at 684-2243.
Users of Departmental Systems
Contact your departmental system administrator.

You may be required to appear in person and show valid picture ID.