Password Management

Good password management is pivotal in protecting your information. Passwords control access to your computer, e-mail account, and other sensitive information. Good password management also protects the information of others.

If your BSC account password were compromised, an attacker would be able to gain access not only to your computer and information but that of others, such as information stored on a shared (department) network drive or personal information others have sent to you via e-mail.

Passwords should be treated the same way you would treat the keys to your house or car - kept secure.

Change your password to meet the following requirements:

Eight (8) characters minimum and must contain at least (3) of the following (4) character groups:

• English uppercase characters (A through Z)

• English lowercase characters (a through z)

• Numerals (0 through 9) 

• Special Characters (!, #, $, &)

Your password MUST NOT:

• Contain your user account name

• Match any of you previous 4 passwords

Choosing a Good Password

A good password is one that is difficult to guess, by both human and computer, yet easy to remember.

There are many different methods with which an attacker can use to guess passwords. To make a password difficult to guess it must be long (8 or more characters) and seemingly random. Some institutions and corporations resort to using a random password generator which creates a string of 8 to 12 characters in a random sequence. However these passwords are usually difficult to remember and often a person will write it down rather than remember the password. Writing down a password is poor password management, as is discussed later in this page. To keep from having to write a password down, a good password needs to be easy to remember.

To create a good password, pick a long phrase that is easy to remember and take the first letter of each word in that phrase to form your password.

For an example use the first two lines from the Pledge of Allegiance: "I Pledge Allegiance to the flag of the United States of America". To obtain the password just take the first letter of each word. The password is: "!patTfotus0a". The letters appear random and the password is long; this is a good password. Rather than remember the letters, you only need to remember the phrase from which the password was derived. This makes it easier to remember your password so you never should have to write it down.

This scheme could be modified in countless ways, such as using the last letter of each word instead.

Note: Do not use the example password given above. Knowing that you have read this document an attacker may make a guess at your password using the example password.

Store Passwords in a Safe Place

A good password is only as strong as how well it is kept secret.

A common mistake in password management is to write down a password on a sticky-note and paste it to a computer monitor or under the keyboard or desk. An attacker knows this and, if able to get access to your work area, will be able to find your password. To keep your information secure, never write your password down.

Storing your password in a text document, such as with Microsoft Word, is a bad idea as well. It is just as vulnerable to discovery as writing the password down on a sticky-note.

To store your passwords on a computer, the best option is a program which takes special care to encrypt and protect your passwords. One such program is Password Safe, a free utility which will store your passwords using a strong encryption scheme. However encryption may not be the best solution.

The best place to store passwords is in your memory.

Every copy made of your password, such as writing it down, storing it on a computer, or telling it to another individual, is another copy that needs to be kept safe. Keeping your password in memory means no copies exist that need to be protected.

Keep Passwords To Yourself

Giving out your password to any person creates a copy of your password that you will not be able to destroy. Even if you trust the person you give your password to you take a big risk in giving out such information. You may take steps to keep your password secure, but the person you give your password to may not be as security conscious.

No one should ever have to ask you for your password.

Network administrators and other computer support personnel have ways of performing maintenance on your computer without the need of your password. If your computer is locked and needs to be unlocked to have repairs made, you, and not the support technician, should enter your password to unlock the computer.

If you should find yourself in a situation where you must provide your password, change it as soon as possible. This will limit the chances of someone gaining access to your information.

Change Your Passwords Often

Even with a mind towards security it can happen that your password is compromised. To help minimize the risk passwords should be changed often; at least twice a year. Many brute-force password cracking methods can take months to crack your password. By changing your password often your account is better protected. Should someone obtain your password, that information becomes useless the moment your password is changed.

Here is an instructional webpage on how to change your BSC password.

Below are a few tips in regards to passwords and choosing a complex password:

a)      Choose a complex password. A complex password is one that is at least 8 characters long, has upper  and  lower case letters ,  numbers,  symbols (i.e.  !, @, #, $, *, &, ^, %) .

b)      Do not share your password with anyone. Do not send your passwords using email or Instant Messaging (IM).

c)       Change the default username and password for all accounts such as email, bank accounts, computers, etc.

d)      Change your password regularly and often.

e)      Use a passphrase if you like. For example, your password could be: "TheSunRisesInTheEast@6am". The longer the password the harder it is to crack it.

f)       You could pick a password from a sentence that you can remember. For example, "I come to work at 8 everyday of the week". This could be used to make your password like this: "!ctW@8e0tW".

g)      Check the strength of your password. You may check password strength online at http://www.microsoft.com/protect/yourself/password/checker.mspx

h)      Rename the administrator account on your computer to a different username and password. Do not use defaults.

i)        Do not write your password on a sticky note. This can be read by anyone.

j)        Rename the administrator account on your computer to a different username and password. Do not use defaults.

k)        Do not write your password on a sticky note. This can be read by anyone.

Last Modified: May 7, 2008