Strong passwords

Overview:

• Teaching: 10 min
• Exercises: 0 min

Questions

• What constitutes a strong password?

Objectives

• Understand that we should keep our passwords safe
• Know that complex passwords needn't be difficult to remember (or type)

Protect your password

Most security issues arise when we don't protect our passwords. Saving our passwords or not logging off shared resources, leaving our computers unlocked or phishing attacks. These can range from the accidental or opportune to sophisticated attempts to get us to provide information. Many meail providers now take signficant steps to ensure that emails are authentic and don't include links to suspicious websites. But we must #StayAlert, never share your password or enter it on a site that you are not certain is valid.

Initial passwords

On local, HPC systems you may be able to use your standard institutional credentials. On other services you will typically be provided with your initial password for logging onto the system.

When you log into a new service for the first time you will likely be asked to change your password. If you are not, you should change it at first log-in with the command passwd. Once you have logged in or run the command, the password change sequence is:

1. Enter your current password:
2. Enter a new strong password
3. Re-enter the same new password.

There may be a forced password policy to help ensure that you are using a strong password.

N.B. You may be logged out and can now log back in with your new password.

You may now change your password on the machine itself using the passwd command. If you forget your password, you should contact your system administrator/helpdesk.

Strong Passwords

Traditionally advice about strong passwords it typically along the lines of:

A strong password describes a password that is difficult to detect by both humans and computer programs, effectively protecting data from unauthorized access. A strong password consists of at least twelve characters (and the more characters, the stronger the password) that are a combination of letters, numbers and symbols (@, #, $, %, etc.) if allowed. Passwords are typically case-sensitive, so a strong password contains letters in both uppercase and lowercase. Strong passwords also do not contain words that can be found in a dictionary or parts of the user's own name.

Based on https://www.webopedia.com/TERM/S/strong_password.html

The problem with this is indicated in the xkcd cartoon reproduced above. Often this will cause us to choose a password which is difficult to remember. Furthermore, if not random but based on a single complex word it will often be relatively easy for a computer to crack.

Many security conscious organisations are now recommending against what was traditionally considered the good password style (the one used by that source) and are moving towards the XKCD-style passphrase, three or four random words, due to being easier to remember and harder to guess. This is not just for humour but has been promoted by the National Cyber Security Centre for a number of years.

Alternatively use machine generated passwords, but these rely on the users using a password manager (or having excellent memory) and being comfortable with using it from the terminal (or copying the password across every time the need it) if used for SSH.

Common advice is not the most secure

It's possible that some of the systems being used enforce traditional password rules and don't accept XKCD-style passwords, but this in general is a fault with the password policy which they should be encouraged to change. We have a shared responsibility and operators should be recognising changing advice on password formats.

You can experiment generating your own XKCD style password.

Key Points:

• Human error is the most common cause of security breaches
• Use strong passwords and never share them with others
• Consider using XKCD style passwords
• or encourage your system operators to allow them if not permitted

Previous

Schedule

Next