by Daryl Peel
Newsletters have been coming out of various departments at the University of Southampton for a long long time and the Digital Learning Team is no exception.
This post will appear once a month with the Digital Learning Newsletter and will take you on a journey to some of the content into the past of our ancient newsletters. Most of these will contain a scanned or photographed image of the paper (yes, paper!) newsletters, but I will be taking time to try and type up as much as possible and even find similar images to give you the best reading experience. Prepare for nostalgia and a fascinating look into technology we used to believe was cutting edge.
Date: July 1992
Article: Something about Passwords
Author: Andy Cotten
The following notes are derived from the paper ‘Improving The Security of your Unix System’, by David A. Curry of Stanford Research International, Menlo Park, California, USA. They were subsequently published in the Queen Mary and Westfield College Computing Services newsletter by Bob Jones, the Computer Systems Manager, and are reproduced, after some local tailoring, with his kind permission.
You should be aware that the password is the most important part of Unix account security. If a user’s password can be discovered, then the data files belonging to that user can be compromised. There is also an associated reduction in general system security, in that unauthorized persons can access the system, if only in part.
On the Electronic Mail Service, the Unix passwd command places few restrictions on those passwords which a user can choose: all passwords must be at least six characters long if a single case is being used (5 otherwise); only the first eight characters are used by the password checking system; passwords can also be set to expire after a specified period, forcing a change. Other Unix systems are more stringent.
The IBM 3090 only uses upper case letters and numbers. Passwords are set to expire every 90 days and you cannot use any of the last three passwords.
There are a few basic guidelines which should make it more difficult for outsiders to discover your password.
- Don’t use your login name in any form (as it stands, reversed, capitalised, doubled, etc).
- Don’t use your first name or last name in any form.
- Don’t use your partner’s or child’s name.
- Don’t use any information easily obtained about you. this includes car registration numbers, national insurance numbers, the make of your car, the street you live on, etc.
- Don’t use a password which can be found in any dictionary, whether English or ANY other language, or even an obscure word from your own or anybody else’s specialist area.
- Do use a password with mixed case letters (if available)
- Do use a password that you can remember, so that you don’t have to write it down.
- Do use a password you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking over your shoulder.
Although this list seems to restrict passwords in the extreme, there are several methods for choosing easy-to-remember passwords which conform to the above rules. These include the following:
- Choose a line or two from a song or poem, and use the first letter of each word. For example, ‘ In Xanadu did Kubla Kahn a stately pleasure dome decree’ would become ‘IXdKKaspdd’.
- Choose two short unrelated words and join them together with a punctuation character. For example, ‘dog:rain’, ‘book+mug’, etc.
- Alternate between one consonant and one or two vowels. This provides nonsense words which are quite easy to pronounce, and so are quite memorable, such as ‘routboo’, ‘quadpop’, etc.
Having selected a suitable password, there are some common-sense rules which should be followed.
You should NEVER write your password down, and under no circumstances should it be stored in any computer system. If you really cannot remember your password, and insist on keeping a written record, then keep that note in your wallet or purse. Small yellow squares of paper stuck on your computer are NOT secure!
You must never divulge your password to anybody at all. There are always better ways of giving other users access to your files, without entrusting them totally with the safety of your data, and possibly the integrity of the whole system.
You should change your password regularly. While it is not possible to lay down hard and fast rules on how often passwords should be changed, it is ESSENTIAL to change your password whenever you have the slightest suspicion it might have been discovered.
You should select a different password for every machine you use. If you use the same password on many machines, then the security of your data is reduced to that offered by the least secure of those machines.
If you need any more information about passwords and security please contact the Advisory Service, email Advisory@Soton (this email no longer works)