Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn


Tuesday, April 21, 2015

  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Two-step verification
Combating Malware
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Wireless Networking
Encryption & digital signatures
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
  More in-depth information for
Local support providers
System administrators
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
  Related links
Electronic privacy
Worms, trojans, backdoors

Managing Passwords and Passphrases

The first step in accessing and utilizing computing resources involves authentication, or more simply put, proving you are who you say you are. Virtually all providers of computing resources (Penn included) are continually evaluating new methods and technologies such as fingerprint scanners and "smart card" tokens in order to maximize the security of the authentication process, but for the forseeable future nearly all of us will have to continue wrestling with the age old question: What's my user name and password?

The problem, of course, is that we're all acquiring access to more and more resources and accounts, and it's simply not possible to have the same user name for all of them. Even if your user name for your Penn e-mail account is "jsmith", it's pretty unlikely that you'll be the first to ask for that user name when you sign up for an account at or any others of the major online retailers, banks, service providers, etc. Complicating things further is that the password requirements for all these resources will vary widely. Some will require passwords to be at least 8 characters long, while others may not permit more than 7 characters. Some will insist that passwords contain a mixture of UPPERCASE and lowercase letters, digits (0-9) and "special characters" (#, !, $, &, etc.), and will not complete the account creation process until these "strong password" criteria are met. Others may permit ONLY letters and digits, and will reject those with "special characters". In addition, many systems will not allow passwords that are based on or include common words (including proper nouns, slang, "buzzwords" and catch phrases from pop culture) from English or any other language. This is done to make it more difficult for hackers who utilize electronic "cracking dictionaries" and "rainbow tables" to steal and crack passwords.

So as a result, the number of user names and passwords we have to select, keep track of - and protect - seems to grow exponentially. The best method of selecting a "strong" password continues to be this: think of a phrase that has special meaning only to you, or conversely that no one would suspect would have any meaning to you , e.g. "Chester Arthur was the twenty-first President of the United States!" Take the first letter of each word (maintaining case) to "assemble" your password: CAwttfPotUS. This is a pretty strong password, and not hard to remember if you keep the source prhase in mind. You can make it even stronger by including the punctuation and "tweaking" it a little: CAwt21stPOTUS!

The past few years have seen a rise in the acceptance and use of passphrases, which are actually passwords that are much longer and can include spaces and punctuation, such as the original phrase in the example above. Although it's composed entirely of standard English words, by virtue of its length (more than 50 characters, including spaces), it is exponentially more difficult to crack than either of the "strong" password derived from it. Yes, it takes longer to type in, but passphrases of 16 characters or more are much more secure than even "strong" passwords of up to 14 characters. Users of Windows XP and Vista can already make use of passphrases for their accounts.

Of course, no matter how secure your password or passphrase is, there's no security if you give it away. Even in this age of heightened awareness about computing safety, security experts still encounter cases of people who write their user name and password on a sticky note affixed to the side of the monitor or under the keyboard. This is roughly as secure as thinking a burglar would never look under the doormat for the spare key to your house. While it is still a fact that the safest place to store a user name and password combination is in your head, it's also true that most of us just have too many of these too keep track of these days - "Let's see, is my user name for that account 'jsmith' or 'jqsmith'? And which password did I use?" To help with this, a number of "password vault" applications have appeared on the market in the last few years (and Macintosh OS X comes with one called Keychain). These are actually small databases into which you can enter and track all your account information and passwords which are then protected by a master password. When you need a particular user name and password, simply open the application with the master password and retrieve the info. Of course, if the master password is lost, forgotten or given away, you've got a problem. Also, be sure that the "vault" application you use employs encryption to protect the information.

If at any time you feel that one of your passwords has been or may have been compromised, you should change it immediately using the method provided by the system or resource. If you have forgotten a password, most systems (especially in the case of online retailers, banks, etc.) have a way for you to obtain a temporary password to gain access and run you through the process of selecting a new password. In some cases you may need to contact the system administrators directly to reset your password (but they will not be able to tell you what the forgotten password is).

One final note about using and protecting your passwords: Most modern web browsers have an "autocomplete" option when filling in online forms that "remembers" values you have previously entered, including on web-based login forms. It's very easy to mis-hit a key or get confused and find yourself entering a partial or whole password into the box for the user name. If "autcomplete" is enabled, others users who use that same login page may have your password revealed, or enough that they might be able to guess the rest. Or, especially in the case of public or lab computers, a "shoulder surfer" may get a good look at it. For this and other good reasons, most security experts suggest that you use browsers with "autocomplete" turned off.

Last updated: Friday, September 12, 2008


Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania