Subject: CREATING and APPLYING SECURE PASSWORDS
Center For Aging
Duke University School of Medicine
From: Information Security Manager, Center for Aging
irv@geri.duke.edu (Updated 7/2/07)
To: All Center for Aging Computer (CFA) Users
Selection of a hard-to-guess password for your computer accounts is
very important. All computers at the Center for Aging are connected
to the Internet, which means that besides giving us access to tens of
thousands of computers around the world, potentially millions of people
have access to our computers! The primary line of defense against online
computer vandalism and data theft is through the use of secure passwords.
If a sophisticated hacker on the network can guess your password, he/she
can access your account, compromise your data and possibly the data of
other users. This memo will explain how to change your password on the
geri UNIX system and how to create strong passwords that can be used on
any computer system. Because this memo is an integral part of the
department's Security Design Plan (SDP), you may be questioned on its
contents during the course of the security certification process.
To change your password on the geri UNIX system, use your ssh
program, to connect to geri.duke.edu. When prompted, enter your user
name and then your password. At the UNIX prompt ('user@computer>'), type
the command "passwd". You will be prompted for the appropriate
information. (You can bookmark these instructions at the Geri web site.)
To change your password on the geri fileserver system, use your ssh
program, to connect to cfafiles.duhs.duke.edu. When prompted, enter your
user name and then your password. At the UNIX prompt ('user@computer>'),
type the command "passwd". You will be prompted for the appropriate
information. After you have successfully changed the UNIX password, you
still need to change the Windows password. At the UNIX prompt type the
command "smbpasswd" and again follow the prompts. (You can bookmark these
instructions at the Geri web site.)
New users must change their password the first time they use their
geri system account.
Please use the following criteria in selecting a password:
- minimum of 8 characters long
- mix from the following character types using at least 2 letters
and 1 number
- upper case letters
- lower case letters
- digits
- punctuation marks and other special symbols
- spaces and tabs
- do not use parts of your name, your computer user name,
phone number, words related to Duke or Durham, and especially
not dictionary words, either English or foreign
- passwords should be changed every 180 days or if you believe it
might have been compromised and should not be reused for 3 years
- NEVER enable a 'Remember Password' function
- NEVER share your password
- NEVER write down a work related password
- NEVER use the same ID and password for work and non-work
related accounts
We run a program at the beginning of each month that tries to guess
passwords using the same methodologies that "crackers" on the network use
to gain access to computer accounts. If this program guesses your
password, it will automatically send you an email notification with a
request that you change your password. This is a very sophisticated
program. For example, it can guess your password if you use a dictionary
word with a number at the beginning or the end. It will also look for
strings of repeated letters or numbers or sequential numbers. If your
password cannot be discovered by this program, then you have a strong
password, and you may use the same password for multiple work-related
accounts that contain sensitive information. Do NOT use this same password
outside of work or for such insecure accounts as web site registrations.
Once a password has been passed by a password cracking session, it
will be deemed a 'strong' password, REQUIRED to be used on all Aging
Center computers on which the user authenticates. This policy covers only
the Center for Aging; systems in other departments may have other
policies.
A good method for creating strong passwords comes from an NIH article
on selecting good passwords. They suggest that you choose two short words
and concatenate them together with a punctuation character between them.
For example: ``dog;rain,'' ``book+mug,'' ``kid?goat.'' (These passwords
are examples only, and should not be used.)
If you ever forget your password, we cannot tell you what it is,
because passwords are stored on the system in a one-way encrypted format.
We can only delete your password, and let you set a new one. For that
to happen, you will be required to provide proof of your identity.
If you have questions, please contact Irv Eisen, 660-7527, 1501 Busse
Bldg., Blue Zone Duke South Clinics, or email irv'at'geri.duke.edu.
