Did you know that, under certain circumstances, an 8-character perfectly random Microsoft Windows password consisting only of numbers and letters of the alphabet can be "cracked" in a few minutes using commercially available software?
Did you know (based on various informal studies) that the seven most common passwords are: 1) no password at all, 2) sex, 3) love, 4) god, 5) secret, 6) money, and 7) password? People also commonly use their own account names as passwords, or the names of family members and pets.
Computer hackers certainly know these facts. Using a variety of advanced tools and techniques, hackers can more or less easily guess or crack passwords that are based solely on combinations, inversions or other permutations of dictionary words (not just English words) and numbers, common personal or place names, even random strings of characters, provided that the passwords are fairly short.
Passwords Versus Pass Phrases
Instead of traditional passwords, you can actually use longer phrases (which are easier to remember and often easier to type) for Windows 2000 and Windows XP PCs, Macintoshes running Mac OS X 10.3 or higher (but not 10.2 and below), as well as for your SUNet ID.
As passwords (or pass phrases) become longer, they become exponentially harder to crack. If you were to use a 15-character password for example, even if vast computing power were applied to the problem of cracking it, on average, with existing methods and equipment, a hacker would need many years to discover it at last.
What about password complexity, which is another way of saying randomness?
The more random a password or pass phrase, the harder it is for anyone - including a password-cracking computer program - to guess. The randomness of your password depends on three related and quantifiable properties: the number of characters it contains (that is, its length), the size of the character set you employ (for example, upper- and lower-case letters of the English alphabet, numbers, punctuation marks, symbols), and the improbability of the order in which you combine those characters. An example of a very random 8-character password is 4(`S&zAp, while an example of a very non-random 8-character password is password.
As passwords become longer, however, the size of the character set that you choose from and the improbability of your ordering of individual characters begin to matter less. You can include dictionary words and still have a sufficiently complex password (or pass phrase) to ward off hackers and satisfy SUNet ID password complexity requirements, as long as you observe a few simple rules. A well-chosen, easily remembered 15-character pass phrase, in fact, is far more secure than a perfectly random, very unmemorable 8-character password.
Should You Use Pass Phrases Instead of Passwords?
For your Windows 2000 or XP user accounts, for your Mac OS X 10.3 and higher user accounts, and for your SUNet ID, consider changing your password to a pass phrase. The advice below is specific to Stanford and to the above-mentioned types of computer accounts. Not all operating systems and software applications support the use of longer pass phrases (for example, Windows 98 and Mac OS X 10.2 and below do not), or even the use of punctuation and special characters in conventional passwords.
When choosing a pass phrase, consider these suggestions:
- If you have local technical support personnel, please check with them before you follow any of these suggestions! For a variety of reasons - perhaps most important, the possibility of enforced Windows user account lockout policies - pass phrases may be a bad idea in certain environments.
- Longer is better, but only within limits. If you choose to switch from a password to a pass phrase, the pass phrase should be between 15 and 25 characters in length, no less, no more. (Spaces and other punctuation marks count as characters.) Pass phrases containing more than 25 characters are unwieldy to type, and for most people, with respect to computer security, they're overkill. There are always fixed limits for maximum pass phrase length, which vary widely among different operating systems, applications, and authentication protocol implementations; these limits are not always properly documented, if they're documented at all.
- It must not be (or be a snippet from) a well-known phrase, slogan, expression, song lyric, quote from film or theater, or anything else obvious.
- Ideally, your pass phrase should involve a uniquely exotic combination of words and names that's easy for you to remember, to type and to associate with a particular computer account, but that no one would be able to guess. Nonsense phrases - especially, according to psychological research, "shocking nonsense" - can be very easy to remember, but almost impossible for someone else to guess.
- One option is to base your pass phrase on some private fact, known only to you, and in your pass phrase to express that fact in a way that would be meaningful only to you. Do not, however, under any circumstances use identifying information like Social Security numbers, phone numbers, credit card numbers or birth dates. These data are often easily available to hackers. Be more creative, and be more obscure.
- Use digits, punctuation marks (including spaces, commas, periods, hyphens, slashes) and capitalization. That's right: You can and should use punctuation marks including spaces.
- Use intentional misspellings, bad grammar, and foreign or invented words.
- You can even use symbols or symbol substitutions, such as "$" for "S" or "@" for "a", which are all but pointless in a short password, because hackers know about those substitutions. To avoid potential compatibility problems, you should use only symbols that are available on a standard US English computer keyboard.
- Just as with passwords, you should avoid committing your pass phrases to paper: Keep them in your head. Combined with their relative length, the ease with which a normal person can remember a short but unusual phrase, as opposed to a short combination of random letters, numbers and symbols, is the primary justification for preferring pass phrases. A well-chosen pass phrase will stick in your head at least as well as it would on a Post-It note on your computer monitor.
- The randomness in a pass phrase, the best measure of its security, comes not only from its length, compared to a typical password, but also from your selection of words and how you combine them. To help you understand randomness in this context, here are some examples of good pass phrases (which you should never use, since they're now on the web for everyone to see):
Pizza w/ krispy Spaniels
Aunt Bea's zip is 27030
en arche en ho Logos, pal
Baby's 1st word was foo
mangl3d persimmon th3rapy
raised on 33 Bleecker St.
Fluffy Mopokes (ouch)
If you're a reasonably fast typist, entering a 15 to 25-character pass phrase is no great burden. And if you're running Windows 2000, XP, or Mac OS X 10.3 or above, single sign-on (entering your pass phrase only once) permits you to use your pass phrase to log in to your PC or Macintosh, to log in to PC-/MacLeland, and so to log in to various restricted resources on the Stanford web, all at the same time. For more information about single sign-on, please refer to the PC-Leland and MacLeland documentation on the Stanford web.
Note that for single sign-on to work, your Windows or Mac OS X user name and pass phrase must match your SUNet ID and pass phrase exactly.
To change your SUNet ID password to a pass phrase, visit the StanfordYou web page.
For More Information
For information about password and pass phrase policies and guidelines at Stanford, see http://securecomputing.stanford.edu/passwords.