skip to primary navigationskip to content
 

Passwords

Does my machine need a password?

Password protection on individual machines has become a vital part of defence against hackers and intruders. One of the commonest contributory causes of hacked machines is non-existent or weak passwords.

All computers, whether shared or personal, that are attached to the CUDN must be protected by strong passwords, as well as being up to date with all software updates and anti-virus software. Strong passwords are essential both on administrative accounts (which in the case of a Windows box may well arrive on your desk with a blank password) and on any user accounts that you set up.

If you don't know how to set passwords, and you are using Windows, then Windows Support have produced a security DVD which is available from your local support staff or you can download a copy of the image. A DVD burner can then make a DVD from it. The DVD provides an easy way to set passwords, as well as containing the latest critical patches, service packs and security software available for distribution across the University.

Passwords are necessary in order to protect your computer and the information on it from

  • attack by remote hackers (i.e. by people who you do not know and who do not have physical access to the computer)
  • local (physical) access and targeted remote intrusion (possibly by people with an interest in the data on your particular system or in access to your computing accounts on other systems)

The need for security is the same whether the computer is for single personal use, for group use or providing a public service. Even if the computer is locked in a room with well-controlled access, as soon as it is attached to a network it is in danger of being hacked and used to attack other machines in Cambridge and elsewhere.

The effectiveness of a password varies with the type of attack, and it is important that, as far as possible, a password should protect against all of them. For example, writing a complicated password on a piece of paper and attaching it to your screen is very likely to be secure against remote hacker attacks but not against local attack. Those attempting targeted attacks may be less ingenious than remote hackers using, for instance, dictionary searches, but may be able to use knowledge of you or of your role to guess likely passwords. It is essential that the password protection on a computer should be adequate and practical for all users.

How would someone gain access to my computer?

If the hacker is not known to you, then he is most likely to try guessing passwords. His first attempt will be to try a blank password on standard user names such as 'root' (Unix), 'guest' or 'administrator' (Windows). If this fails, the next easy guess is to see if the password is the same as the account name (it is easy for a hacker to find account names on Windows systems). On a Unix-based machine, a typical attack is to guess that user names are simple first names and that the password is the same as the username. If the hacker is determined to get access to your machine then he might try to use a 'dictionary attack', on the standard user names. If you have strong passwords, your computer should be resistant to this type of attack.

Specifically targeted attacks are very much rarer, but to protect yourself against these you should choose a password that cannot be guessed from knowledge of you, your role or your organisation, keep it safe, and never let anyone know what it is.

Why does anyone want to hack into my computer?

A remote hacker may be interested in one or more of:

  • access to a high speed network with plenty of bandwidth and perhaps the storage capacity of your computer; often an FTP server is installed followed by 'warez' (music, films, pirated software) for 'friends' to share. Note that if illegal pornography is shared from your computer then you may be liable for criminal as well as civil action.
  • control of a system that can be used later, perhaps for denial of service attacks, as a relay to send spam, or as a base for attacking other systems in the same domain.

Typically, the first thing that you will notice if your computer has been successfully hacked is that you are told that it has had high traffic levels or that it must be or has been disconnected from the network until it has been investigated.

If someone local gains access to your accounts, it is usually a more individual matter; the intruder may be seeking any of the above but may also want access to your email or data, or to your passwords on other systems of interest - or merely to embarrass you or your organisation.

What is a strong password?

The idea is to make it harder for automated password cracking programs to work out the password. Obviously these examples should NOT be used as they are now widely available!

  • Misspelling a term and using odd characters in an otherwise familiar term, e.g. aS!pir0n8 (that's "aspirin" by the way!)
  • Using a combination of two unrelated words and a combination of letters and numbers, e.g. MutT37Yu
  • Taking a combination of letters and numbers, or a phrase like many colors and use only the consonants, substituting the vowels with other characters, e.g. m^nYc0l0Rs
  • Taking the first letter from each word in a phrase (e.g., My dog used to have fleas but he ate them becomes Mdu2Hfbh8T. You could also use the sentence as a pass phrase.
  • Using a long uncommon, or made up, phrase, for example The crazy brown fox kicked the dozy hound or My friend's grandmother has 2 hairy legs!
  • Alternating between one consonant and one or two vowels, to create a nonsense word. This provides nonsense words that are usually pronounceable and thus easily remembered, e.g., aDnifaLat. If you add numbers and special characters you can end up with something like m1Faje@l0Ma
  • Using a combination of letters, numbers and special characters in a word, for example c0M8o3#rs represents composers
  • Including, as do several of the example above, at least two digits or special characters (e.g. #>$).