Office Hours
     M-F 8am-Noon, 1pm-5pm
     Call and leave voice mail
     or email
    
ISO Main #'s
    Phone: 972-883-6810
    Fax: 972-883-6865
Physical Location
    Research and Operations
    Center (ROC)
    2.604
Mail Station: ROC43

Directions to UT Dallas

Forms
Forms
(You MUST be on a UT Dallas Network or using VPN)
Web + Email Security
Security Tips & Threats

Security Tips: Password Protection

Users often consider passwords inconvenient and unnecessary. Required password changes are frequently met with groans and complaints. Users will even put their passwords on sticky notes or the like and tape them to their monitor, or write them down on a notepad and put them in the top drawer of their desk. The reason they do this is often because they don't consider anything they do on a computer important enough for anyone to want to steal it, they don't know of a secure way to share information with a colleague or employee or they just think the whole idea of security is overblown because they've never experienced a security breach. Frequently, the security of an individual's workstation doesn't seem nearly as important to them as the security of network equipment, and of course, that is "someone else's" responsibility.

Yet many users handle sensitive information every day: personnel records; salary information; performance records; proprietary university information; important research in their professional field; grant and donor information and so forth. This information not only resides on their own hard drive as well as the network servers but is also readily available to anyone who wants to take the time to steal their password by reading the sticky note or glancing in their top desk drawer. In the case of Windows 95 or 98 and MAC, all someone has to do is boot the machine at night or while its owner is out of the office, and they can view any files that reside on the hard drive!

Passwords are often thought of as hard to remember, so even if a user thinks it's important to use them, they give more thought to how to make a password easy to remember than to creating one that is difficult to crack. Yet creating a password that is difficult to crack is much easier than one might imagine. To understand why it's easy to create a good password, you have to understand what makes a password easy to crack.

There are several factors that contribute to the difficulty of cracking a password. The first and most important factor in password security is KEEP IT A SECRET! DO NOT EVER!! share your password with ANYONE!! Do not share it with your students. Do not give it to your administrative assistants. Don't give it to your friends, and do not leave it lying around on sticky notes or in desk drawers where others might find it! This one principle alone will improve security dramatically!

The second most important factor in password security is the length of the password. The longer a password is, the more difficult it becomes to crack. It is evident from the table below that password length exponentially increases the difficulty of cracking a password. This is why we prohibit passwords less than six characters in length.

Another important factor in password security is the character set used to create the password. A password made up entirely of letters and numbers only requires a 36 character set to crack it with brute force. (Brute force means trying every single possible password until you find the right one.) You should never use a password that is only alphanumeric. It is more than ten times as difficult to crack a password that uses symbols also than it is to crack an alphanumeric password.

Finally, the age of the password is important. It is not possible to create a password that cannot be cracked! Given enough time and enough computing power, every password will be cracked sooner or later. This is why we require you to change your password every 120 days and do not allow you to reuse recent passwords.

To get an idea how important password characteristics are, consider the table below. The first column lists the number of characters used in a password. The second column lists the number of characters available for use in the password (all alpha = 26 (or 52 if the particular system allows case sensitivity), alpha + numeric = 36 (or 62 with case sensitivity), entire keyboard - 69 (95 with case sensitivity). The third column shows the number of possible passwords that can be created with a particular combination of number of characters and available character set.

Chars used Char set Number of Passwords
1 26 26
1 52 52
2 26 676
2 52 2704
2 36 1296
2 62 3844
6 26 308,915,776
6 36 2,176,782,336
8 26 208,827,064,576
8 36 2,821,109,907,456
8 69 513,798,374,428,641
8 95 6,634,204,312,890,625

As you can readily see, the number of possible combinations of passwords increases as an exponent of the number of characters used and as a factor of the number of characters available for use. So, for example, using a two character password with a 26 character set (only the lower case alphabet) yields 262 possible passwords, whereas increasing the character set to 36 (the alphabet plus the numbers) only yields an additional 620 possible passwords (not quite 262 x 2.) However, as the number of characters used increases, the number of characters available for use has an increasingly larger impact on the number of possible passwords. (E.g. 266 = 308,915,776 while 366 = 2,176,782,336 - approximately 262 x 7 and 368 = 268 x 13.5 while 698 = 268 x 2460.)

While these numbers may seem impressive, a modern computer, using a well written password cracking program, can try every combination of an 8 character, alphanumeric password in less than 6 hours! If you're using a password that only uses the alphabet, and worse yet uses a word found in any dictionary (English or any other language), your password would be cracked within a few minutes! Adding a single number or a symbol (such as $) to a dictionary word increases the time spent cracking the password by only a few minutes more.

So what constitutes a good password these days? Obviously, the more characters the better, but with modern computing power, alphanumeric passwords are not enough. You must include symbols in your passwords, and you absolutely cannot use dictionary words (in any language.) This means your maiden name, your child's name, your anniversary or your birthday are terrible choices for passwords, even if you type them backwards.

This may make creating a good password seem almost impossible. Yet there are ways to create a good password without having to be Houdini. For example, use a familiar word but be creative with it. mypassword would be cracked in seconds. MyP@$$w0rd would take quite a bit longer (3 weeks or more), yet it's as easy to remember as mypassword.

Another way to create good passwords is to use a combination of keystrokes that is easy to remember. For example, 45":er{P would be difficult and time consuming to crack, but all you have to remember to use it is lower case ' 45 ', upper case ' ": ', lower case ' er ', upper case ' {P '. (If that seems really hard to you, try typing it a few times and see what you think. The repetition of keystrokes is easy to remember: left side lower case from the top down; right side upper case from the bottom up; alternating from left to right and back twice.)

(Note that a combination of keystrokes side by side [such as qwertyui ] is NOT a good choice. Modern cracking programs will try all those possible combinations automatically, as well as the entire dictionary [possibly in several languages] and more.)