Password Security: A Guide for Students, Faculty, and Staff
of the University of Michigan

Questions You May Have About Password Security

Why Should I Care about Password Security?
Your uniqname and UMICH password give you access to the University of Michigan's computing services. Every time you connect, you must provide the magic word; you must prove you're who you say you are. Should someone else guess or steal your password, he or she can masquerade as you, which means the intruder would then have access to your files, your e-mail, your funds, your personal information, and more. This intruder will have the power to modify or destroy your files, to send electronic mail threats in your name, or to subscribe to unwanted services for which you'd have to pay. In short, an insecure password can easily wreak havoc in your life.

And you won't be the only person affected by a stolen password. Other users on networks along the Internet could potentially be affected as well. Once an intruder with the necessary knowledge, experience, and tools gains entry to a system, he or she may be able to monitor other machines and systems on the same network and capture information about local users logging on to those machines. And if these users then connect to other networks, the intruder has the potential to penetrate and monitor the remote systems to which the local users connect, thereby increasing the likelihood of a breach in the security of those systems as well.

How Are Passwords Stolen?
Security experts at Carnegie Mellon University estimate that more than a million passwords have already been stolen on the Internet. One has to ask why this happens so frequently. Part of the answer is that hackers have many tools, such as dictionary programs and sniffers, to assist them. A hacker will launch a dictionary attack by passing every word in a dictionary (which can contain foreign languages as well as the entire English language) to a login program in the hope that it will eventually match the correct password. A sniffer can read every keystroke sent out from your machine, including passwords.

But a large portion of the blame falls on the users themselves. They willingly share their passwords. More important, users are too predictable in their choice of passwords. Left to their own devices, users often choose a password that is too short or too easy to guess.

Passwords are about identity. We tend to reveal ourselves in our passwords. We often choose the name or birth date of a loved one; we use our address, telephone number, or Social Security number; we use the name of a favorite artist, actor, or author. Or we are wise enough to avoid any personal references but choose a word that is ridiculously short, a dictionary word, a name or word spelled backward, or an alphabet or keyboard sequence. Just because we think a foreign word is obscure doesn't mean that it isn't in a dictionary somewhere. The point is that all of these types of words are easily guessed, which makes the job of password cracking straightforward.

What Are the Guidelines for Choosing a Password?
U-M system administrators are now using some sophisticated programs that help users avoid choosing an insecure password. The programs check the password selected and can disallow a poor choice. To avoid problems, follow these basic guidelines when choosing your UMICH password:

• Use at least seven characters; the more characters, the better (as long as you can remember them). You can use up to 63 characters, so be creative.

• Make your password easy for you to remember but hard for someone else to guess. Picking letters from a phrase that's meaningful to you may be the source for a good password. In this way, your password is really a "pass phrase." ("Do you know the way to San Jose?" could be D!Y!KtwTSJ?)

• Intersperse punctuation marks or symbols such as #, $, %, etc. Do not use a blank space.

• Always use a mixture of upper- and lowercase characters.

• Never write down your password; someone else might see it.

• Select a unique password. Do not use a password that you are using for some other purpose, such as your PIN at the bank or your password to another system.

What Are Some Strategies for Choosing a Good Password?

Use lines from a childhood verse:

Verse Line: Yankee Doodle went to town
Password: YDwto#town

Expressions inspired by the name of a city:

City Expression: I love Paris in the springtime
Password: ILpinST

City Expression: Chicago is my kind of town
Password: CimYKot

Foods disliked during childhood:

Food: rice and raisin pudding
Password: ricNraiPudng

Food: boiled broccoli
Password: boi%Brocc

Transformation techniques:

Technique: Transliteration
Illustrative Expression: photographic
Password: foTOgrafik

Technique: Interweaving of characters in successive words
Illustrative Expression: iron horse
Password: ihrOrnSe

Technique: Interweaving of characters in successive words
Illustrative Expression: file drawer
Password: FdirLawer

Technique: Substitution of synonyms
Illustrative Expression: coffee break
Password: jaVa*rest

Technique: Substitution of antonyms
Illustrative Expression: stoplight
Password: starTdark

Note: Obviously, you shouldn't use any of the passwords used as examples in this brochure. Treat these examples as guidelines only.

How Can I Avoid a Bad Password?
Avoid passwords that would be easy for anyone to guess.

Don't use:

• Dictionary words (mackerel, dandelion, millionaire).

• Foreign words (octobre, gesundheit, sayonara).

• Simple transformations of words (tiny8, 7eleven, dude!).

• Names, doubled names, first name and last initial (mabell, kittykitty, marissab).

• Uppercase or lowercase words (MAGAZINE, licorice).

• An alphabet sequence (lmnop) or a keyboard sequence (ghjkl;).

• Very short words or just one character (dog, *, hi!, me, love).

• Words that have the vowels removed (sbtrctn, cntrlntllgnc).

• Phone numbers.

• Numbers substituted for letters, like a zero instead of the letter O or a number 1 in place of the letter l.

How Often Should I Change My Password?
It is time to change your password if:

• Your password doesn't meet the criteria set out in the rules and strategies listed above.

• You have had the same password for more than 6 months.

• You have told your password to anyone else.

• You have written your password down anywhere.

• You have visited another city or campus and logged on to a system there.

• You are officially notified that your password does not meet current standards.

How Do I Change My Password?

Changing Your UMICH Password on the Web

1. Connect to https://accounts.www.umich.edu/kpasswd/
2. Log in with your uniqname and current UMICH password.
3. Type your current and new passwords as prompted, then click Submit.
4. In the next window, you may enter a hint for remembering your password.
   WARNING! Do not enter your password as the hint.

   If you do not wish to enter a hint, click skip to the services page and proceed to step 8.

5. If you enter a hint, you must also select a challenge question and enter the answer.
6. Click Save and Continue.
7. You will receive a confirmation that your hint has been stored. Click the Service Menu link to continue.
8. Click logout if you are finished using web-authenticated applications.

Changing Your UMICH Password with a Terminal Program

1. Using a secure terminal program, connect to the ITCS Login Service using the host name login.itd.umich.edu.
   MAC OS X TERMINAL USERS: Enter ssh login.itd.umich.edu.
2. Log in with your uniqname and current UMICH password.
3. At the login prompt, enter your uniqname and press Return or Enter.
4. At the Password prompt, enter your UMICH password and press Return or Enter.
5. At the % prompt, enter passwd and press Return or Enter.
6. At the Password for <youruniqname>@UMICH.EDU prompt, enter your current UMICH password and press Return or Enter.
7. At the Enter new password prompt, enter the new password you wish to use and press Return or Enter.
8. At the Enter it again prompt, enter your new password again and press Return or Enter.
9. You will see a Password changed notification and be returned to the % prompt.
10. At the % prompt, you may perform additional tasks or enter logout to finish.
    WARNING! Be sure to logout of your terminal connection program when you are finished.

Forgot Your UMICH Password?

• If you used the web method to change your password, created a hint, and the login window provides a Retrieve your hint link, click on that link. You will be asked to answer the challenge question you selected. If your answer is correct, you will be provided your hint.
• If you are unable to answer your challenge question or did not create a hint:

• call (734) 764-HELP [764-4357] and select the option to reset your UMICH Kerberos password; you'll be connected to person who will verify your identity.
• take a photo ID — such as your Mcard or driver’s license — to the ITCS Accounts Office.

For More Information

• QuickNote: Choosing a Safe and Secure Uniqname Password, Reference R1162
• QuickNote: Your Uniqname and Password, Reference R1136

The ITD consultants provide computer assistance at 764-HELP; School of Education, and Angell Hall Courtyard computing sites; and via e-mail (online.consulting@umich.edu). For more information on ITD services, see the ITweb home page (www.itd.umich.edu/). To learn how to access the web, see QuickNote: Connecting to the World Wide Web, Step-by-step S4138.

Return to Information Technology Policies and Guidelines

For more information, please contact the IT User Advocate at abuse@umich.edu
Copyright © 2007 University of Michigan Regents.