ITS Computing Accounts
The Importance of Choosing Strong Passwords
Strong passwords are extremely important to prevent unauthorized access to your electronic accounts and devices.
The object when choosing a password is to make it as difficult as possible for a would-be intruder to identify your password, whether by educated guesses or automated attacks.
This leaves a criminal no alternative but a brute-force search, trying every possible combination of letters, numbers, and punctuation. Though intruders have access to machines that can try thousands or millions of possible passwords per second, a more complicated password vastly decreases the chances an intruder will be able to guess yours.
Guidelines for Strong Passwords
Do not use:
- your UVa login name/computing ID in any form (as-is, reversed, capitalized, doubled, etc.);
- your first or last name in any form;
- your spouse’s or child’s or pet’s name;
- other information easily obtained about you (this includes license plate numbers, telephone numbers, Social Security numbers, your vehicle brand, your street, etc.);
- a password of all numbers, or all the same letter (this significantly decreases the search time for an intruder);
- a word contained in English, foreign language, or specialty dictionaries; or
- a password shorter than 8 characters (Exception: Mobile devices, see below.).
- mixed-case alphabetics (both lower- and upper-case letters);
- nonalphabetic characters, e.g., numbers/digits and/or punctuation (the strongest passwords have both);
- 8 characters (or more, if allowed, but there are exceptions);
- a password that is easy to remember, so you don’t have to write it down; and
- a password that you can type quickly, without having to look at the keyboard (this makes it harder for someone to steal your password by watching over your shoulder).
Complexity Requirements for Passwords at UVa
- Must be exactly 8 characters in length but there are exceptions:
- System Administrators should use especially long, difficult passwords, if possible, at least 20 characters—particularly for those who cannot afford to be locked out of any machine they will have to fix. Aim for length. In general, password length is more important than complexity, but only if the password is at least 15 characters long. If shorter, complexity is more important, and the more complex, the better.
- Mobile devices (iPhones and other smart phones, BlackBerrys, PDAs) must be protected with a password/passcode of at least four (4) characters if able to connect to UVa's encrypted cavalier wireless network and/or the UVa Exchange Service. Configure your device to lock the screen automatically, after a brief period of about 10-15 minutes of inactivity, with password protection.
- Must use both upper- and lower-case letters;
- Must include at least one number and/or punctuation mark (allowed symbols are: ! # $ @ _ + , ? [ and ]);
- Must not contain more than 2 numbers;
- Must not contain all punctuation characters;
- Must not include your name or UVa computing ID;
- Must not be part of the local computer’s name;
- Must not match anything in your UNIX account information, such as your login name or an item from your “finger” data entry (full name, login shell, home directory);
- Must not have more than 2 characters repeated in a row (thus a password like “ABCaaa” would be rejected);
- Must not appear in any English dictionary.
For your computing safety, these rules may be expanded over time to be more stringent and additional rules may be published within applications requiring an enhanced level of security.
A Simple Technique for Making a Strong But Easy-to-Remember Password
Although this list may seem to restrict passwords to an extreme, below is one simple method for choosing secure, easy-to-remember passwords that obey the above rules.
- Make up a unique sentence and use the first letter of each word in the sentence.
Mix up the capitalization. For example:
- A sentence unique to you might be: “My Volvo’s front muffler leaks too much.”
- This gives you the password MVfmltm.
- Then throw in a number and/or punctuation mark somewhere in the middle. For example:
- Using the example above, adding some additional symbols would yield a password like MVfm,l3tm.
- Before you decide you are done, double-check your password against the other above guidelines, in case any are violated by accident. For example:
- If your sentence for #1 was “How older US educators sit,” this gives you the password HoUSes.
- However: That password is not strong enough, because it happens to appear in dictionaries, and so would be much easier for an intruder to guess.
- Tip: You will definitely need to throw in some numbers and/or punctuation to make such a password stronger, or try a new sentence altogether.
Remember never to use the same password for a UVa account and a non-UVa account (such as Yahoo, Google, Facebook, Amazon, etc.).