Passwords

One of the easiest and most effective ways to improve security is by using more secure passwords.

SNS user passwords must be 8 characters long and contain characters from three of the following four categories:
      an upper-case character
      a lower-case character
      a numerical digit (0-9)
      a nonalphanumeric character (for example, !,$#,%)

Even if it satisfies the above criteria though, a password you choose won't necessarily be secure. For example, cat2dog* is a terrible password choice. The reason why, and advice on how to choose a good password, is described below.

To change your SNS password, follow these instructions.

Password Security

  • Make passwords hard to guess.

Hackers have access to very powerful password-cracking tools incorporating extensive word and name dictionaries. Thus passwords should never be dictionary words or names, even foreign language ones. The cracking tools will also perform many algorithms such as words spelled backwards, substitution of certain letters for numbers (e becomes 5, adding capital letters at different positions in the word string etc. Almost all the substitutions you can think of have probably already been coded into an algorithm.

More secure passwords are those which are based on pass phrases and/or non-dictionary words (including "nonsense" words), combined with obscure character substitutions. These can be extremely difficult to either guess or crack. The most effective method of choosing a password that is well chosen and easy to remember is to think of a simple phrase and use the first letter of each word in combination with numbers or punctuation.

Example: "I need to drink coffee in the morning" could be used as a mnemonic for:

	In2dcitm

This password satisifies all the criteria above, and could also be considered secure.

  • Don't share passwords with others.

Your password authenticates the your identity as the authorized user. You may be held responsible for misuse of the account if the password is shared.

  • Use different passwords for different accounts.

Using a single password is the equivalent of using a single key for your car, house, mail box, and safety deposit box -- if you lose the key, you give away access to everything. If your password is compromised on one system, using different passwords on different systems will help prevent intruders from gaining access to your accounts and data on other systems. For example, if you have an account at another institution, you should use a different password for that account than you use for your SNS account. That way, if the password on one account is accidently revealed, the other account is still protected.

The passwords need to maintain the rules for "goodness" as well as not be trivially derivable if one passwordis known. While using multiple passwords increases the difficulty of managing passwords, it results in significant increases in security.

  • Store passwords securely.

If at all possible, passwords should be remembered and not written down. However, some users may find it necessary to record their passwords. If so, the password should be stored in a safe place, such as a slip of paper tucked in the wallet (in this case, be sure only the password is recorded, and not additional information regarding the account), a floppy disk kept in a locked personal cabinet, or a strongly encrypted file with a good encryption key. In any case, great care must be taken to safeguard the password when it is used and to be sure to return it to safe storage immediately after use.

  • Don't leave passwords where others can find them.

Don't leave your password on a post-it on your desk (this really happens) or written down in any other places where someone could find it. If you absolutely must write down your passwords, keep them in a secure, locked place.

Also, don't leave your passwords where others can find them electronically. Never send them in email, leave them online in a file (even in a protected directory), embed them in a script, etc.