Peggy Steele has recently let us know that we will all have to change our AD password this month (yes, by June 30) in preparation for the move to Exchange 2010 and other aspects of the Unified Communication preparations. The AD password is one of the strongest and most complicated passwords we have to create, and we have to create it anew every year. (I know I dread having to build a new one every time!). Because of that difficulty, I’ve asked Camilla Fulton to write a guest post about what you can do to create stronger passwords AND remember them. This guide will offer a couple of reasonable solutions, as well as give you tips for how to keep your password safe.
Thanks to Camilla for such a great guide!
Creating Secure Passwords
Everyone hates having to remember multiple passwords for different online accounts. Despite the increased security of maintaining different passwords for each account, even CITES now suggests simplifying our CITES password collection (see http://cites.illinois.edu/passwords/managing.html). So how do we create strong passwords for accounts that CITES does not manage and remember them without resetting or answering password recovery questions? Try the following:
- Think of a favorite word (the longer, the better), quote or song lyric. For the sake of example, we’ll use the word “cumbersome” :)
- Remove all vowels. My word now becomes “cmbrsm”. This will be the base of my password. We always want passwords with 6-8 characters minimum; with this base, 6 are already covered.
- Add 2-3 capital letters to represent the online account that will use this password. For example, if this were my Gmail account, I might add a “GM” to the beginning, middle or end of my base (“GMcmbrsm”, “cmbGMsm”, “cmbrsmGM”, or “GcmbrsmM”). If this were my Wells Fargo account, I would add WF to the beginning, middle, or end of my base. If you want it to be a little less obvious, you could use the last two letters instead.
- Separate the capital letters from the base with punctuation. My password construct can now be “GM*cmbrsm”, “cmb.GM.rsm”, “cmbrsm%GM”, etc.
- Lastly, add your favorite number to the beginning, middle, or end of the construct. My favorite number is 32, so my newly created password for my Gmail account could be “GM*cmbrsm32”.
- Whenever you create a new password, keep your steps similar to the steps you’ve taken above. This way, it will be a little easier for you to remember your passwords across various user accounts.
You’re all set! It may seem a little “cumbersome” in the beginning, but it pays off in the long run…especially if you maintain more than 5 online user accounts. A construct similar to the one above takes care of password length, lack of dictionary words, and the inclusion of capital letters, numbers and symbols – all of which are crucial to creating secure passwords in any online environment.
11 Tips to Keeping Your Password Safe
- DO NOT USE THE EXAMPLE ABOVE AS YOUR PASSWORD! Please use it only for illustrative purposes and create something new J
- Refrain from oversharing online. The social media age leaks more personal information about us than before, so knowing how to configure privacy settings are increasingly important. Many password recovery questions for email, banking, and online forums require self-identifying information such as date of birth, birthplace, high school, etc. If we utilize social networking tools with lax privacy settings, most of this information can be obtained through minimal Google searching.
- Choose your password recovery questions wisely. Even without using social media networks, Google can uncover information about us that is tied to our professional life. Online biographies, dossiers, published articles, and addresses can be synthesized to uncover answers to these personalized questions. Remember when Sarah Palin’s Yahoo! email was hacked in September 2008? The hacker simply “answer[ed] a series of security questions that allowed him to reset the password and gain access to [her] e-mail account.”
- Don’t use dictionary words within your password. Though most security measures now lock out accounts after a certain amount of password attempts, brute-force attacks on accounts without this feature can uncover your password in no time flat.
- Don’t keep your password stored in non-encrypted text files. Spyware or malware could be programmed to find such files.
- Install security updates on your computer’s OS, virus and spyware protection programs in a timely manner. Up-to-date security on your operating system and up-to-date databases in your virus and spyware programs keep your computer safest from breaches that may occur.
- Always make sure to log out of your accounts on public workstations.
- Pay attention to your surroundings. Take notice of anyone hovering over your shoulder while you type in passwords…especially if it’s someone you do not know.
- Refrain from logging into accounts on public WiFi (and make sure your personal WiFi is secure!). People within the WiFi range could be using hacker software like Firesheep (http://codebutler.com/firesheep) to track and capture usernames and passwords. Firesheep is a relatively tame program, but more extensive software can bypass secured logins. If you must login to public WiFi, use the campus VPN (http://www.cites.illinois.edu/vpn/).
- Do not allow computers (public or personal) to save your passwords.
- Do not write down your password (ever).
Other Resources Consulted
- Lang, Michael et al., “Social Networking and Personal Data Security: A Study of Attitudes and Public Awareness in Ireland.” International Conference on Management of e-Commerce and e-Government (16-19 Sept. 2009): 486-490. Accessed June 3, 2011. doi: 10.1109/ICMeCG.2009.105.
- Preibusch, Sören and Joseph Bonneau, “The Password Game: Negative Externalities from Weak Password Practices.” Lecture Notes in Computer Science 6442 (2010): 192-207. Accessed June 3, 2011. doi: 10.1007/978-3-642-17197-0_13.
- Rowan, Tom, “Password protection: the next generation.” Network Security 2 (2009): 4-7. Accessed June 3, 2011. doi:10.1016/S1353-4858(09)70015-7.
- Shahid, Mohammad and Mohammed A. Qadeer, “Novel scheme for securing passwords.” 3rd IEEE International Conference on Digital Ecosystems and Technologies (1-3 June 2009): 223-227. Accessed June 1, 2011. doi: 10.1109/DEST.2009.5276738.
- Sharma, Anand et al., “Password based authentication: Philosophical survey.” IEEE International Conference on Intelligent Computing and Intelligent Systems 3 (29-31 Oct. 2010): 619-622. Accessed June 3, 2011. doi: 10.1109/ICICISYS.2010.5658405.
- Violino, Bob, “As the Economy Sinks, Data Breaches Rise.” CFO, March 2009. Business Source Complete, EBSCOhost. Accessed June 1, 2011.
- Zhang, Lixuan and William C. McDowell, “Am I Really at Risk? Determinants of Online Users’ Intentions to Use Strong Passwords.” Journal of Internet Commerce 8, no. 3 (2009):180-197. Accessed June 1, 2011. doi: 10.1080/15332860903467508.
- Campus Information Technologies and Educational Services. “Tips for Creating and Protecting Your Passwords.” Last modified August 31, 2009. Accessed June 3, 2011. http://cites.illinois.edu/passwords/tips.html.
- Librarian by Day, “How to Create a Secure Password.” Last modified July 7, 2010. Accessed June 2, 2011. http://librarianbyday.net/2010/07/07/how-to-create-a-secure-password/.
- Lifehacker, “How I’d Hack Your Weak Passwords.” Last modified December 16, 2010. Accessed June 3, 2011. http://lifehacker.com/5505400/how-id-hack-your-weak-passwords.
 Irani, D.; Webb, S.; Pu, C.; Kang Li, “Modeling Unintended Personal-Information Leakage from Multiple Online Social Networks,” Internet Computing, IEEE , vol.15, no.3, pp.13-19, May-June 2011. doi: 10.1109/MIC.2011.25, URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5696719&isnumber=5755593
 Department of Justice, “Tennessee Man Indicted for Alleged Hack of Governor Sarah Palin’s E-Mail Account,” DOJ Press Release, 8 October 2008. http://www.justice.gov/opa/pr/2008/October/08-crm-910.html (last visited June 6, 2011).