Password

Password Protection and Management

A password is the most basic mechanism of security necessary to protect computer systems and internet access to private information. Unfortunately, password safety is often overlooked by the majority of people, including those in the IT community. The problem stems from the fact that there is very little understanding of either how security works or how human beings behave, and this leads to very poor protection against serious and determined password attacks. This is particularly important if what is being protected by the password is highly sensitive. for all intent and purposes, the access to private information via a password must satisfy the principles of confidentiality and integrity. Password usage should follow McMaster’s Password Policy. For information about MacID password complexity requirements, please visit: http://www.mcmaster.ca/uts/macid/passwd.html.

Typical password protection issues stemming from common human behaviour

  • Write passwords down on sticky notes.
  • Place passwords under the keyboard.
  • Place a sticky note containing a password on monitor screen.
  • Share the password (or swipe card) with other people.
  • Choose an easily guessable password.
  • Use a password on a non-secure machine or on a system/application that “remembers” passwords.

Typical issues with security questions for password maintenance

  • Questions are non-memorable.
  • Questions are ambiguous.
  • Questions are easily guessable.

How to Manage Multiple Passwords

In the age of Internet, people often find that they need to juggle multiple passwords for their email accounts, web sites they routinely visit, and any other Internet-based services that they use. While it is impractical to create a completely different password for every web site or account, using the same password in multiple locations is very dangerous. If the password gets stolen from any one of the places where it is used, it can be used to compromised other, more sensitive services.

Recommended Safe Password Practices

As a general rule, a password must be complex (complexity defined as hard to guess by a someone else and relatively easy to memorize by the owner). Passwords that do not follow the complexity condition can be easily cracked by either using a dictionary attack, a brute-force attack, or social engineering. Follow these practices and guidelines to ensure complexity and strength of passwords:

  • Choose a password that will be hard to crack.
  • Do not keep passwords on sticky notes or on similar, easy-to-find methods.
  • Do not write down your passwords and if you need to do so, destroy/shred the paper after you are done.
  • Never share your password (or swipe card). You might be held accountable for the miss-use of it.
  • Do not use the same password for all your personal accounts.
  • Consider changing your password if you think you used it via a non-secure channel of communication (non-https).
  • Get in the habit of changing your passwords frequently.
  • Consider changing your passwords after travelling abroad.
  • Never allow applications (such as web browsers) to store or “remember” the passwords.
  • If your passwords are being used to protect critical resources or information, consider storing them safely using a special software or service such as LastPass.
  • Use a password that can be typed quickly, without having to look at the keyboard. This makes it harder to steal your password by someone adept at “shoulder surfing”.

Tips on Creating a Safe Password:

For most McMaster applications your password must be at least 8 and up to 16 characters in length, must contain characters from at least three of the categories below, and must not be based on a dictionary word or a simple pattern such as ABCdefG. Your password must also not match any password you previously used.

Uppercase Letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
Lowercase Letters abcdefghijklmnopqrstuvwxyz
Numerals 0123456789
Symbols !@#$%*() -+= _|\ [] {},.:;

A Password is Weak When:

  • Contains less than eight characters.
  • Is a word found in a dictionary (English or foreign).
  • Is a word of common usage such as popular culture names, movies, cartoon characters, etc.
  • Uses a birthday or other type of personal information that can be traced back to the owner or someone related.
  • Uses simple patterns like 1234, aaabbb, qwerty, zyxwvuts, 123321, etc.

A Password is Strong When:

  • Contains both upper and lower case characters (e.g., a-z, A-Z).
  • Has digits, punctuation and/or special characters as well as letters from the patterns above.
  • Is at least eight alphanumeric characters long.
  • Is not a word in any language or dialect, or uses slang, jargon, etc.
  • Is not based on personal information, names of family, common names of objects, movies etc.

Tips to Efficiently Manage Multiple Passwords:

  • When choosing a password, consider what it is protecting. Some services may not require as secure a password if they do not contain any private information. If the access is not for sensitive data, you don’t need a super strong password but when in in doubt, use a secure password!.
  • Consider your password as multiple parts: a central core of the password to drive the memorability of it and a prefix and/or suffix to specify the service that is being protected.
  • Ensure the memorability of the password by creating a word based on a song title, affirmation, or other phrase. For example, the phrase you want to use might be: “Never Go Down A Volcano Alone” and the password could be: “NgD0wn@va” or “NgDaVal0n3” or some other variation.
  • The passwords protecting your most sensitive information should always be different than other passwords and should always be strong.