Passwords

Change your password using the passwd command (/local/bin/passwd) or use Account Management. Your new password should not be a name of a person, your own name, a word in the dictionary or anything that can be easily guessed by anyone who knows you. It should be at least eight characters long, but longer is better. A good password is very important! Our systems are on the Internet, a global network of computer systems, and there are people out there who try to break in by guessing passwords. Choosing a bad password doesn't just compromise your account, it increases the vulnerability of the entire system.

A good password needs to be easy to remember and hard to guess. "Hard to guess" is trickier than it sounds, because people who try to guess passwords typically do so with the help of a computer, which can make thousands of guesses per second.

Pitfalls to avoid

Avoid words or names (or variants, such as backwards words or names, or words/names with letters substituted by numbers), in any language. Avoid personal data (like your phone number or your license plate). Don't use UNIX or DOS commands. Don't use any word that appears in information about you on the internet. These all produce passwords that are easy to guess.

Good Passwords: the Passphrase Approach

One good technique for picking a good password is the passphrase approach. This technique is good for both shorter and longer passwords. Make up a phrase of your own that you can use (avoid lines from songs, poems, prayers, literature, or anything published), and use the first letter of each word, or the last letter, or the first and last letter, or the first two letters. Add capitalization. To make it harder to guess, you might express part of the phrase using numbers and punctuation in clever ways. For example, use punctuation or a letter according to what it means, how it sounds, or how it looks. Here are some examples:

   "9 dollars and 8 cents is Too Much for coffee"  9$&8ciTM4c
   "I want a 7 caret diamond on my finger"         Iwa7^<>omf
   "The sharp lawyer was called to the bar"        T#lwc2t|
   "They cried out: Liberty! Equality! Fraternity!"Tco:L!=!F!
   "Dashing through the snow is my fave Xmas song" ---ththsnimfXs
   "Please may I have a second cup"                PmIha2nd|_b

An advantage of this technique is that it works for shorter passwords, not just long ones. A couple of pitfalls of this technique include the temptation to make your use of capitalization, numbers and punctuation either too mundane (e.g. 0 for o and 1 for i, which makes little difference for guessability), or too clever and thus too hard to remember. Also heavy use of punctuation can lead to hard-to-type passwords on devices without standard physical keyboards.

Good Passwords: the Multiple Common Word Approach

Another good technique for picking a good password is the multiple random word approach, as described in this XKCD comic strip. This technique is good only for longer passwords. Choose a sequence of at least four completely unrelated common words in random order. The words must not be associated in any way, and there should be no meaningful order, or the password becomes easy to guess. Use a mental image to remember the words and their order. You can separate the words either by spaces, by some other separation character, or not at all. Capitalize to taste. You could put a digit or punctuation in there somewhere, e.g. at the beginning or end. Here are some examples:

        correct horse battery staple
	lawyer be bird wood baby
	ThickenSuccessTelephoneSword
	heart-wax-indoor-pretty-5
	6+crown+wrap+choose+sharpen

The advantages of this technique are that it is simple, does not use a lot of punctuation, and it is based on common words. Pitfalls of this technique include the fact that it works only for long passwords. If your password must be short, use the Passphrase approach instead. Longer passwords can be harder to type correctly (though depending on how you type, you may find a longer password with alphabetic characters easier to type than a shorter one with lots of punctuation). Another pitfall is that people often succumb to the temptation to use related words. Unfortunately, "hot cold black white", "dashing through the snow" or "my dog is fred" are poor passwords because they are very easy to guess. If need be, there are various sites on the internet that will help you generate random sequences of four or five common words.

Password Keeper Programs and other memory aids

If you have many passwords and find it hard to remember them all, you might use a password keeper program or app, which stores passwords in an encrypted file on a device of some sort (e.g. a smartphone or a computer): that way you only have to remember the password keeper password. Unfortunately, the use of a password keeper program makes passwords vulnerable to bugs in the password keeper program, or in the system it runs on. But if this is the only way to remember your passwords, it may be necessary. There are many password keeper programs available: while we do not currently recommend specific ones, if you do use one, pick one that keeps the passwords well encrypted at all times. You could also write your password down on paper, but then that paper needs to be very diligently guarded. A password in a sealed envelope in a safe is perhaps OK, and may be a good idea as a contingency plan, but putting your password on a card in your wallet, or worse, on a sticky-note near your desk, is a risky idea. You might, however, write on a note in your wallet some clue or hint (that only you will understand) about how you chose your password.

How Often to Change your Password

How often should you change your password? You should change it often enough so that if someone has somehow captured your password, it will soon become no good to them, but not too often, or you risk forgetting it. We do not specify a specific frequency for changing your password. But if you have been using the same password for years, it would be a very good idea to change it.

Password Checks in the passwd Command

You may find that the passwd command will not allow you to use some passwords. If the passwd command rejects your proposed new password, try a different one. "man pam_cracklib" provides more details about the sorts of passwords it will not accept. For instance, if your password is less than ten characters long, it will insist that the password contain some combination of upper and lower case letters, digits, and other (e.g. punctuation) characters, otherwise it might reject your new password as too simple. It will not let you choose a palindrome for a password. It may also reject your new password if there are too many of the same character repeated consecutively. Finally, it will not accept your proposed new password if it is too similar to the old one. It defines too similar as one of the following:

  • half or more of the characters (max ten) are the same in both passwords
  • the two passwords are the same except for a change of case
  • the new password is a rotated version of the old

One Password for Many Sites?

Some people like to use one password for many different sites. This may be easier to remember, but it has some real disadvantages. One problem is that if the password is captured, the person who has it gets access to all the sites, not just one. Another problem is that a site's owners can possibly find out the password you are using on their site: do you really want them to be able to access other sites as you? A third problem is that different sites have different rules for what they consider a good password, so if you want to use the same password everywhere, you will have to find one that meets all the rules used by all the sites. But of course the problem of using different passwords for different sites is remembering them all. One approach to solve this is to use one of the techniques above, and vary that technique slightly from site to site in a way that is easy to remember. For example, if you have Google and Yahoo accounts, you could use for Google a password which contains an "e" (the last letter of the word "Google"), and for Yahoo, one that contains an "o", but are otherwise similar. Don't make the variation from site to site too obvious, because if someone captures one of your passwords and figures out your approach, the others will be compromised too. For this reason, something like "correct horse Google staple" is probably not your best choice.

Finally please remember, your account is for your use only, as per university and departmental policy. Please do not tell anyone else your password.

Computer Science - University of Toronto