User Guide to Passwords

User Guide to Passwords

Your initial password

All network user accounts must have a User ID and password. The password is used to authenticate the identity of the person using an account as the authorised user. It also prevents misuse by unauthorised users.

The Information Technology (IT) Department will issue all new users to the network with a temporary password. You will have to change this password when you log on to the system for the first time. This guide is designed to help you understand your responsibilities and the importance of password security.

Don't share your password with others

Giving someone your password allows them to use your identity on the network. You will get blamed for any misuse if someone has logged in using your ID. It is your responsibility to ensure you do not share your password.

Films and television programmes tend to show hackers using sophisticated electronic equipment to find out what passwords are (see below). However, these methods are generally used to guess file passwords. Unauthorised users such as hackers will normally find out what your user password is by asking you. The jargon for this is known as human engineering. A favourite ploy is to use an internal telephone, pose as a member of the IT department, spin a yarn about network problems and ask you for your password so they can test the system. Remember, an authorised IT or system supervisor can gain access to your account (when authorised) without needing to know your password. If anyone phones for your password, find out who they are and why they want, refuse to give it and contact your Information Security officer [add contact details] as soon as possible.

Make passwords hard to guess

Passwords based on personal information - such as account name, your first or last name, your initials etc. - are extremely easy to guess and should never be used. Spelling a name backwards, nicknames, pet’s names, your birthday, the name of the place you live or your hobby are all typical forms of password that are easily guessed, so don’t use them. People also use words such as "guest", "password", "secret". Again, don’t use them. They are examples of bad passwords and leave your account open to unauthorised access.

Hackers use password-cracking tools that incorporate extensive word and name dictionaries (in various languages). For that reason you should never choose dictionary words or names. The cracking tools will also check for simple tricks like words spelled backwards or simple substitution of certain characters (i.e. "password" becomes "pa$$w0rd").

The best passwords are those based on pass phrases and/or non-dictionary words (including "nonsense" words), combined with obscure character substitutions. These can be extremely difficult to either guess or crack. Passwords that use numbers and letters are referred to as alphanumeric and must be used for the network.

An example of a good password, O1u9a6t4 is a combination of the phrase “Once upon a time” (based on the first letter of each word) and the year I started school (helping me to remember a series of numbers). Note that the letters and numbers are interspersed. Always choose something that relates to use so that you can remember it. Further examples of good and bad passwords are included at the end of this guide.

Remember that passwords are case sensitive. Check the ‘Caps Lock’ key before typing a new password. Passwords with upper case (CAPITAL) letters are not the same as ones with lower case letters. For example, O1U9A6T4 and o1u9a6t4. If you have originally typed the former you will not be able to use the latter.

Passwordsize

Using the maximum number of characters greatly increases the complexity of guessing or cracking passwords. You must use passwords that are at least six characters long.

Change passwords regularly

A regular password change is necessary, since it prevents misuse of your account without your knowledge if your password was somehow accidentally (or deliberately) disclosed.

The network is set up with ‘forced’ periodic password changes. Under this system you will have to change your password after a given amount of time. You will not be able to you a password you have used previously. Note that you do not have to wait until you are forced to change your password. You can change it if you think it has been compromised or as often as you like.

The IT Department may also tell you to change your password if there has been a general security alert.

Use different passwords for different systems and applications

If your password is compromised on one system, using different passwords on different systems will help prevent intruders from gaining access to your accounts and data on other systems. For example, network and system managers should use different passwords for their personal account and their privileged account. If the personal account password is accidentally revealed, the privileged account is still protected. Similarly, you should use different passwords for your email account and network logons.

If you do this make sure one password is not simply a derivative of another. While using multiple passwords increases the difficulty of managing passwords, it results in significant increases in security.

Don't leave passwords where others can find them

Don't leave your passwords written down in or on your desk or anywhere on or near the computer equipment. If you absolutely must write down your passwords, keep them in a secure, locked place.

Also, don't leave your passwords where others can find them electronically. Never store them in a text file or send them in email.

Further Information

Further information can be obtained from [Officer, telephone number, email:]

Examples of good and bad passwords

Bad passwords

today: This is just a dictionary word that is easily discovered with hacking software. It is also only five characters long. Passwords should be at least six characters long.

t1d2y: Here the digits 1 and 2 have been substituted for the vowels of the dictionary word “today”. Again, hacking software is designed to look for this type of substitution.

today1: Here there is some attempt to mix letters and numbers. However, adding a number on to the end of a dictionary word poses little problem to hackers.

Good passwords

t1o9d4a8y or t!o(d$a*y: Here the word (today) has been used and digits or special characters have been included between each letter. The numbers represent something that is easily memorable to you (in the case above the year the NHS was inaugurated). The characters represent the numbers on a standard keyboard. The length of the password also makes it difficult to guess or crack electronically.

1t9o6d4ay or ”t(o^d$ay: This is even more secure than the previous example since the passwords begins with a digit or character.

Page 1 of 3 v1.0