Strong Passwords: Take It Up a Notch or Two!
A strong password is one of the most important precautions you can take in protecting you and your information. Weak passwords are easily cracked by dictionary attacks 1 or brute-force2, leaving you vulnerable to hackers and the damage they can cause, such as stealing your identity to break into your bank account, compromising your computer and enlisting it in a botnet that sends spam with your name, or committing a data breach of Brown's information, leaving you to deal with all the legal and financial repercussions.
Since you are accountable for activity originating from your network account, it is essential that you choose a strong and uncrackable password -- one that is long with a good mix of letters, numbers, case and special characters -- and then protect that password. This means not sharing it willingly or accidentally giving it to someone through a phishing attack.
Because of increasing threats, business applications like Workday and Banner providing greater access to personal information than ever before, and the need to meet higher industry standards for authentication to systems and services, Brown will implement more stringent password requirements when moving to its new identity management/directory system. ISG recommends that you take the time to update your password before the new requirements are in place. At that time a password must:
- Have a minimum of ten characters. Are you a 10+ ?
- Contain both upper and lower case characters, at least one number and one special character.
- Exclude words in any dictionary, language, slang, dialect, jargon, etc.
- Not be the user's account name.
- Not include repeated characters.
Note: Though the minimum requirement for passwords will become 10 characters, ISG recommends having one with at least 12 random characters.
In addition, you will now need to change your password annually, though ISG recommends doing so more often depending on the the nature of what the password is protecting, i.e., the more sensitive or critical the information is, the greater the frequency.
Your rule of thumb for your new password should be: easy to remember but hard for others to guess. How can you balance both? Here are some tips on building a strong AND memorable password.
- Start with a word or short phrase and spell it backwards. Example: Turn Lake Placid into dicalpekal
- Use "l33t speak", substituting numbers for certain letters. Example: Turn dicalpekal into d1calp3kal
- Randomly throw in some capital letters. Example: Turn d1calp3kal into D1calp3Kal
- Don't forget the special character. Example: Turn D1calp3Kal into *D1calp3Kal!
Since you should use different passwords for different accounts, consider appending an identifier on the end of your new password for your different accounts. For example, using the new password created above as a base, you could create *D1calp3Kal!bro to use for the Brown network, *D1calp3Kal!goo for Google,*D1calp3Kal!twi for Twitter, etc. Then when you change your password you only need to remember the one base word.
Another method is to use a variation on a pass-phrase that is meaningful to you so it's easier to remember.
For sports fans, you might pick the the sentence The New England Patriots will win the Super Bowl this year", use the first characters of each word -- tnepwwtsbty -- then capitalize the letters for "New England Patriots" and "Super Bowl" and append extra characters to the beginning and end to arrive at 12=tNEPwwtSBty!
If you like musicals you might construct a password from the first line of the song "My Favorite Things", Raindrops on roses and whiskers on kittens. Here is one way to do this (you may have others): RnDpzoRz&)(Nk10
The above examples demonstrate how you can create an easy-to-remember password that is also hard to crack.
IMPORTANT: Please DO NOT use any of the passwords cited in the examples above.
» Link to MyAccount for resetting your network password now. Note that Brown's network password requirements are detailed in the Password Settings section of MyAccount.
» See also the Computing Passwords Policy and CIS's Password FAQ.
1. Dictionary Attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. (from SANS.org)
2. Brute Force: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. (from SANS.org)