skip to primary navigationskip to content
 

Password? What password?

Does my machine need a password?

Password protection on individual machines has become a vital part of defence against hackers and intruders. One of the commonest contributory causes of hacked machines is non-existent or weak passwords.

All computers, whether shared or personal, that are attached to the CUDN must be protected by strong passwords, as well as being up to date with all software updates and anti-virus software. Strong passwords are essential both on administrative accounts (which in the case of a Windows box may well arrive on your desk with a blank password) and on any user accounts that you set up.

If you don't know how to set passwords, and you are using Windows, then Windows Support have produced a security DVD which is available from your local support staff or you can download a copy of the image. A DVD burner can then make a DVD from it. The DVD provides an easy way to set passwords, as well as containing the latest critical patches, service packs and security software available for distribution across the University.

Passwords are necessary in order to protect your computer and the information on it from

  • attack by remote hackers (i.e. by people who you do not know and who do not have physical access to the computer)
  • local (physical) access and targeted remote intrusion (possibly by people with an interest in the data on your particular system or in access to your computing accounts on other systems)

The need for security is the same whether the computer is for single personal use, for group use or providing a public service. Even if the computer is locked in a room with well-controlled access, as soon as it is attached to a network it is in danger of being hacked and used to attack other machines in Cambridge and elsewhere.

The effectiveness of a password varies with the type of attack, and it is important that, as far as possible, a password should protect against all of them. For example, writing a complicated password on a piece of paper and attaching it to your screen is very likely to be secure against remote hacker attacks but not against local attack. Those attempting targeted attacks may be less ingenious than remote hackers using, for instance, dictionary searches, but may be able to use knowledge of you or of your role to guess likely passwords. It is essential that the password protection on a computer should be adequate and practical for all users.

How would someone gain access to my computer?

If the hacker is not known to you, then he is most likely to try guessing passwords. His first attempt will be to try a blank password on standard user names such as 'root' (Unix), 'guest' or 'administrator' (Windows). If this fails, the next easy guess is to see if the password is the same as the account name (it is easy for a hacker to find account names on Windows systems). On a Unix-based machine, a typical attack is to guess that user names are simple first names and that the password is the same as the username. If the hacker is determined to get access to your machine then he might try to use a 'dictionary attack', on the standard user names. If you have strong passwords, your computer should be resistant to this type of attack.

Specifically targeted attacks are very much rarer, but to protect yourself against these you should choose a password that cannot be guessed from knowledge of you, your role or your organisation, keep it safe, and never let anyone know what it is.

Why does anyone want to hack into my computer?

A remote hacker may be interested in one or more of:

  • access to a high speed network with plenty of bandwidth and perhaps the storage capacity of your computer; often an FTP server is installed followed by 'warez' (music, films, pirated software) for 'friends' to share. Note that if illegal pornography is shared from your computer then you may be liable for criminal as well as civil action.
  • control of a system that can be used later, perhaps for denial of service attacks, as a relay to send spam, or as a base for attacking other systems in the same domain.

Typically, the first thing that you will notice if your computer has been successfully hacked is that you are told that it has had high traffic levels or that it must be or has been disconnected from the network until it has been investigated.

If someone local gains access to your accounts, it is usually a more individual matter; the intruder may be seeking any of the above but may also want access to your email or data, or to your passwords on other systems of interest - or merely to embarrass you or your organisation.

What is a strong password?

Some suggestions about what class as strong and weak passwords can be found in IS 6: Changing/Choosing Your Passwords. An additional page gives some examples.