UC San Diego SearchMenu

Passwords

This article is composed of the following sections:

Guidelines for passwords

A secure password that will be accepted by the ACMS change tool must meet ALL of the following five criteria:

  1. Passwords must be 7 to 8 characters long
    (change tools other than gpasswd may allow more characters but the complexity criteria below should be fulfilled in the first 8)
  2. contain characters from at least three of the following four groups:
    • lower case letters
    • upper case letters
    • numbers
    • non-alphanumeric characters (punctuation)
  3. NOT be a dictionary word or proper name
  4. NOT contain : (colon)
  5. NOT contain any part of your real name or account name

Additionally, when registering for a new account, passwords cannot contain any of the following six characters:

$ ' ! : " or SPACE

How to make a strong, memorable password

A handy way to make a difficult-to-guess password is to crush together a short phrase or common words, to make an uncommon or nonexistent word that you can easily remember. Then, replace letters with punctuation and numbers that look like the letters, and capitalize a couple letters. For example:

  • bad doggie becomes B&d=D0g3
  • great days becomes gr@tD@ys
  • dark light becomes d@RRKLy+
  • beer keg becomes bEur=kEg
  • don't have a cow, man becomes dNtHv@cw

Make up your own password; undoubtedly someone will be trying all of these just to see whose accounts they can commandeer.

Why are strong passwords important?

Improve Your Password Security to Avoid Break-ins!

Written by Brian Kantor, July-August 1998; revised 1998 and 2007 by ACMS Staff.

Your computer, your online banking account, your email account, your MySpace account: What do they have in common? Every one is dollar signs in the eyes of a hacker, and every one is just as accessible to millions of hackers around the world, from basement-dwelling troglodytes in Michigan, to organized criminals in the Russian Mafia, to spam generators in China.

Sound scary? It is. Your password can be their gateway to riches -- or it can be an impenetrable bulwark, thwarting their criminal deeds.

Many Passwords Are Easily Defeated

Many passwords are too easily guessed. Among the worst choices are your name and your user ID. Your major, job title or department name are public information to anyone trying to crack your account. Seemingly personal details, such as your hobbies, pet names or pastimes may be found by a hacker willing to scour your LiveJournal. Even "secret" data, like your social security number or license number, can often be purchased from shady websites dealing in stolen personal information.

A simple English word is too easy to test. It is not much work for villains to write a simple program that tries every word in the dictionary against every login password. Even stronger Passwords shorter than 7 characters are easy to guess, just by trying every possible combination of letters and numbers. This is why ACMS and many other places insist that you use longer passwords.

A completely random sequence of numbers and/or letters sounds like a good choice -- but few people can remember such a password without writing it down. A password that is written down is prone to interception; putting a password on a sticky-note and pasting it on your monitor is egregious insecurity.

Don't let your password be stolen

Thousands of passwords are stolen by so-called Phishing: A hacker emails a link that appears to log in to Ebay, PayPal, your bank, or any other website. Instead, it sends your password to the hacker. The safest policy is to completely abstain from clicking on email links. If you don't like an abstinence-only policy, use an email client that vettes links and blocks most scams. Thunderbird, from the makers of Firefox, is popular and free.

Hackers distribute 'malware' -- bad programs that take control of your computer. Once inside, they can steal passwords, important documents, send spam, or launch an attacks against more valuable institutions - leaving your computer the apparent culprit. Only install software from reputable sources, and never allow websites to install toolbars or any other software unless you trust the site implicitly. Otherwise, you might discover that you are not the only one using your computer.

To keep your computer safe and your passwords secure, you should scan daily for spyware and viruses. UCSD offers Sophos Antivirus free of charge to students, staff, and faculty. UCSD's Minimum Network Standards are a practical source of advice for maintaining a secure computer. Many people also recommend running both Windows Defender and Ad-Aware to remove malware from your computer.

If you have detected any malware on your computer, you should change your passwords as soon as possible.

What makes a good password?

On a computer or website where the case of the password is significant, make sure to include a mix of upper- and lower-case characters. Be sure to include numbers and punctuation as well. If your password has these, then a hacker can only hope to break in if they try every possible combination of uppercase, lowercase, punctuation, and numbers -- 53,861,514,400,000,000,000 possible 10-character passwords. Even with all the computing power currently in the world, this cannot be broken in a lifetime.

Passwords decrease in security with age, because malware that can steal passwords and send them back to their criminal masterminds is unfortunately widespread. It is therefore a good idea to change your password at least every year. Make it your New Year's resolution!

If you follow the guidelines given above for passwords on an ACMS system, keep your computer patched and behind a firewall, you are far more likely to have years of peaceful computing.