Recommendations of “best practices” for securing individual user’s accounts
The following are best practices Atlanta’s John Marshall Law School technology users should observe pertaining to the security of user accounts:
- Don’t share passwords with others.
The password authenticates the identity of the authorized user. Furthermore, the authorized user will be held responsible for misuse of the account if the password is shared as indicated in the Network Access / Accounts policy.
- Make passwords hard to guess.
Passwords based on personal information easily obtained from the net — such as account name, actual first or last name, initials of the name, system name, etc. — are extremely easy to guess and should never be used. Hackers are also on to all the usual tricks, such as spelling a name backwards or simple substituion of characters. Certain easily-guessed words are also commonly used as (poor) passwords — such as “guest”, “password”, “secret”, etc. — and should never be used as passwords.
Hackers also have easy access to very powerful password-cracking tools incorporating extensive word and name dictionaries. Passwords should never be dictionary words or names. The cracking tools will also check for simple tricks like words spelled backwards or simple substitution of certain characters (i.e. “mouse” becomes “m0us3″). Pass phrases of several words are often OK, as long as the combination is not too obviously guessable — e.g. don’t use “secret password” as a pass phrase. A long passphrase works well, but you have to be able to remember the password. An example would be to use a movie quote or your favorite quote from a book, ie – I think we’re gonna need a bigger boat – would be the password itwgnabb I would add the year to it also to strengthen the password, the quote is from Jaws made in 1975, so the final password would be itwgnabb1975 or 19itwgnabb75. Have fun with it and you will be able to remember your password, while still making it secure.
More secure passwords are those which are based on pass phrases and/or non-dictionary words (including “nonsense” words), combined with obscure character substitutions. These can be extremely difficult to either guess or crack. If your system supports machine-generated passwords, you might also consider using one.
- Change passwords regularly
A regular password change is a good idea, since it prevents misuse of your account without your knowledge if your password was somehow accidently (or deliberately) disclosed.
- Use different passwords for different accounts
Using a single password is the equivalent of using a single key for your car, house, mail box, and safety deposit box — if you lose the key, you give away access to everything. If your password is compromised on one system, using different passwords on different systems will help prevent intruders from gaining access to your accounts and data on other systems. For example, system managers should use different passwords for their personal account and their privileged account. If the personal account password is accidently revealed, the privileged account is still protected. Simliarly, a user should use different passwords for their email account and interactive logons.The passwords need to maintain the rules for “goodness” as well as not be trivially derivable if one password is known. While using multiple passwords increases the difficulty of managing passwords, it results in significant increases in security.
- Don’t leave passwords where others can find them
Don’t leave your password on a post-it on your desk (this really happens) or written down in any other places where someone could find it. If you absolutely must write down your passwords, keep them in a secure, locked place.
Also, don’t leave your passwords where others can find them electronically. Never send them in email, leave them online in a file (even in a protected directory), or embed them in a script, etc.