![[Skip to Network Security page content]](http://www.siuc.edu/siucimages/hpimages/skipsection.gif "[Skip to Network Security page content]"){kind=small}
Network ID Password/Passphrase Guidelines
Scope of a Network ID
Network IDs are used to manage access to a number of network based resources such as Morris Library and Computer Learning Center facilities, electronic mail, Unix computational services, wireless access, dialup Internet access, Residence Hall network (RezNet) through Clean Access, and more. This consolidated approach to network identification provides users with the ability to use the same ID and password/passphrase for all services. Thus, a change in a user's Network ID password/passphrase affects access to all of these services.
Purpose of the password/passphrase
The role of a password/passphrase is to prevent unauthorized access to data just as a key prevents unauthorized access to a house or apartment. A password/passphrase should be guarded with the same care as the key to a house or apartment. The hardest part of choosing a password/passphrase is making it difficult for others to guess but easy for you to remember. It's very important to remember your password/passphrase. Writing down passwords is a dangerous practice. Saving your password/passphrase within an application is also a dangerous practice and should be avoided.
Creating a password/passphrase that matches the Auditor General's requirements as of May 17, 2006
As of April 2006, the Auditor General of the State of Illinois has set forth the following password guidelines that all SIUC Network ID users must adhere to when changing their password on or after May 17, 2006. The password must be changed every 120 days and passwords cannot be re-used. The password must:- Be eight or more characters in length. (maximum size is 255 characters)
- Include upper and lower case letters
- Include numbers
- Include at least one of the following special
characters:
~ ! @ # ^ & * ( ) _ + - { } [ ] , . ? - NOTE: The tilde ~ character will NOT work on Macintosh OSX Systems.
- DO NOT use the percent character % as this will not be accepted
Some additional characteristics of a strong passphrase include the following:
- Be difficult to guess given information about you or a dictionary cracking tool
- Be easy to type so that someone can not watch it being typed
- Be easy to remember so that it does not have to be written down. Passphrases meet this characteristic and users should consider thinking in terms of "passphrase" instead of "password"
- Long - the longer the better. For the highest security on a Windows system, a password over 14 characters long is recommended.
Example passwords/passphrases
Any sequence of characters that satisfies the Auditor General's requirements and can be remembered by the user will work. To help with the process, we present a few ideas that may help the user create a strong password/passphrase that's also easy to remember. Be creative! A strong password/passphrase does not have to be impossible to remember. Good password/passphrase security is within your reach.
DO NOT USE THESE EXAMPLE PASSWORDS AS YOUR OWN PASSWORD.
Technique: use three or more words, substituting numbers for letters and adding punctuation. For instance:
| Concept | Passphrase |
| Thirty three free trees | 33Fr33Tr33s! |
| Walking down the street. | W@lk1ngd0wnthestreet |
| Fake address | 1SpaceShuttleW@y |
| Pet ownership | Ihave3Terrierd0gs! |
Technique: build partial acronyms combined with other character sets. For instance:
| Concept | Passphrase |
| The cow jumped over the moon | TCJotm00n! |
| Meet me in St Louis, Louis | MMNStL0uis2x! |
| Shawnee National Forest #1 | Sh@wkn33NF#1 |
| When I was 21 I moved to SIUC | WIw21Im0ved2SIUC! |
Technique: fake psuedo email addresses. For instance:
| Concept | Passphrase |
| Fake hotmail address | DaBigMan@H0tm@il.c0m |
| Fake Yahoo address |
GuitarDude1980@Yah00.c0m! |
| Invalid domain | Free_willy@n0m@il.n3t |
These are three techniques. Feel free to make up your own scheme that meets the criteria.
Characteristics of weak passwords/passphrases
The passphrase technique resolves a lot of the common problems associated with weak passwords and password guessing attacks. However, there are some general characteristics of weak passwords/passphrases that you should be aware of.
Weak passwords/passphrases have the following characteristics:
- Any password that is offered forth as an example
- Permutations of the username
- Family or pet birth dates
- Family or pet names or acronyms built from them
- Hobbies or activities
- Work or school-related information or work/school acquaintances
- Names of places visited or worked
- Important numbers such as social security, phone or account numbers
- Common words from dictionaries including foreign language
- Common dictionary word permutations
- Names or types of favorite objects
- All digits or all the same letter or letter sequences found on keyboards
Password strength analysis
Passwords chosen will be examined by a password cracking program before being accepted by the network to determine if the new password is too closely related to a dictionary word when spelled either forward or backward. English is not the only language contained in the cracking program resource, so words that you may not recognize as words may be declared unusable as passwords. Please remember that a Network ID password change affects all network-based resources, and that there may be some delay in propagation after changing your password due to the interlocking nature of the campus area network.
120 day minimum password change requirement
Network ID passwords/passphrases must be changed at least once every 120 days. For further information about this topic, please see a summary page at http://www.infotech.siu.edu/csc/policies/nid_summary.html. For detailed documentation, please see http://www.infotech.siu.edu/csc/policies/nid_docs.html
Further documentation from security experts supports the idea that LONGER passwords are better.
http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx
Help is available from the Computer Support Center. The CSC can be reached at 453-5155, or by email at infotech@siu.edu