• USU home
• A-Z index
• calendars
• MyUSU
• contact
• people/web search

User-Defined Navigation:

• Downloading Music, Videos and Games
• IT Home
• Office Risks
• Be an Internet Skeptic
• 2008 USBR Security Audit
• Recommended Software

Main Navigation:

• Reconnect Fee
• File Sharing
• Passwords
• Free Credit Report

Passwords

• Passwords should be memorable, but not something that would be easily guessed by someone who knows you, such as birthdates, child's name, pet's name, etc. A password should be a minimum of 8 characters long and should contain both letters and numbers. Some systems require distinct capitalization and allow use of punctuation characters.  For best security, change passwords on a regular basis. The industry best practice is every 90 days.
• If you need to write down your password do not leave it near your computer and NEVER include the username and password on the same document.  Keep your password with other information that you guard carefully, like your drivers license and credit cards.
• Don't allow Windows or your Browser to automatically remember your username and/or passwords.

 I propose we provide three sample strategies for selecting a password:

1) Miles' "Shocking Nonsense" strategy, adapted to include the USU required 3 digits.
You remember: build a passcode from the first character of each word of a phrase
or sentence that is shocking nonsense.  The shock value helps you to remember it:
"I love to ski in fresh cow manure in the spring" becomes Il2SiFCMiTS and then
add the rule of changing "connector" words to their character count, so: Il2S2FCM23S

2) A random password generator service - with a recommendation to write the password
down without any notation about what it is and store it in a safe place (like a wallet).

3) A variation on the SANS strategy that goes like this:

a) Pick a name or word that you will remember (5 letter min)
b) Pick a string of numbers that you will remember (4 digit min), not from
your A-number, SSN, or birthdate (but zip code, phone number, house number,
anniversary, etc might be memorable choices)
c) Pick your favorite letter (one letter)
d) build your password by putting the number string in the "middle" of the word,
   and then put your favorite letter in the middle of the number string.  You
   decide where "middle" is if the word or number has an odd number of characters.
   Then decide a capitalization rule (e.g. the second letter in each part).
   For example:
   a) favorite word: bicycle (to be more devious, I should have picked "hummer")
   b) favorite number: 33578 (my parents phone number in the '50s)
   c) favorite letter: K
   d) password: bIcy335K78cLe
e) store the parts in a safe place (your wallet) but not the intact password
   (my note says: bicycle 33578 K)
f) for extra password strength, create your own password building strategy and
   store it separately from the parts. (Here's another variation of the above:
   start with the number, break it into 3 parts, split the word and put between
   each part of the number, put the favorite letter on both ends. for instance:
   K33bicy5cle78K

Strategies 1 & 3 have less "entropy" than #2,  That is, a hacker who knows
the strategy could build a hacker dictionary that conforms to the strategy.
(They can already plan on throwing away all the entries in their dictionary
that don't conform to our existing rules: start with a letter, 8-16 long,
include at least 3 digits).  But the phrase or template that a user picks
in 1 or 3 is not available to a remote hacker with automated tools and unlimited
time, while finding pieces of that info locally won't help someone take advantage
of an unexpected opportunity at someone's unoccupied desk.