Duke IT Security Logo just a line

Password Security

Why Should I Care about Password Security?

Your computer account name and password may give you access to a variety of computing services, depending on the capabilities of the individual computer or system you're using. At Duke, the acpub system has a very wide range of capabilities and services. If you are authorized to use one or more Enterprise Systems (such as SAP and SISS) your acpub ID and password gives you access to those systems as well.

Every time you connect, you must provide the magic word; you must prove you are who you say you are. If someone else guesses or steals your password, he or she can access all of the information tied to that password. This could include access to your files, your e-mail, your funds, your personal information, and more, depending on what the password was supposed to protect. For example, having the password to your online bank account may allow someone to bill items to your credit card, transfer money from your account, etc. In short, an insecure password can easily wreak havoc in your life.

You will not be the only person affected by a stolen password. Other users on networks on the Internet could potentially be affected as well. Once an intruder with the necessary knowledge, experience, and tools gains entry to a system, he or she may be able to access and control other machines and systems on the same network and capture information about local users logging on to those machines. If these users then connect to other networks, the intruder has the potential to penetrate and control the remote systems to which the local users connect, thereby increasing the likelihood of a breach in the security of those systems as well.

Unfortunately, it does not necessarily take a skilled intruder to be able to control a machine on which he or she has an account. Many of the tools required to gain control over a machine can be downloaded from the Internet and used with little or no knowledge of how they work. These so called, "Script Kiddies" may not have the knowledge necessary to break into a computer without help, but because of the availability of hacking tools and the large number of them, they can cause a great deal of trouble.

How Are Passwords Stolen?

Security experts at Carnegie Mellon University estimate that more than a million passwords have already been stolen on the Internet. One has to ask why this happens so frequently. Part of the answer is that hackers have many tools, such as dictionary programs and sniffers, to assist them.

A hacker will launch a dictionary attack by passing every word in a dictionary (which can contain foreign languages as well as the entire English language) to a login program in the hope that it will eventually match the correct password. The programs which perform dictionary attacks are often capable of trying simple permutations on dictionary words as well (such as trying them backwards).

A network sniffer installed on a computer can read every piece of data sent out from your machine across the network, including passwords. The ease with which a sniffer can find your password ensures that it is one of the first programs a hacker will run on a machine he or she has broken into. Network sniffers can mostly be defeated by using encrypted login services like SSH.

A large responsibility -- and, perhaps, a large portion of the blame -- falls on the users themselves. They willingly share their passwords. More important, users are too predictable in their choice of passwords. Left to their own devices, users often choose a password that is too short or too easy to guess.

Passwords are about identity. We tend to reveal ourselves in our passwords. We often choose the name or birth date of a loved one; we use our address, telephone number, or Social Security number; we use the name of a favorite artist, actor, or author. Or we are wise enough to avoid any personal references but choose a word that is ridiculously short, a dictionary word, a name or word spelled backward, or an alphabet or keyboard sequence. Just because we think a foreign word is obscure doesn't mean that it isn't in a dictionary somewhere. The point is that all of these types of words are easily guessed, which makes the job of password cracking straightforward.

What Are the Guidelines for Choosing a Password?

Some systems have programs that check the password selected and can disallow a poor choice, but not all systems at Duke have this capability. To avoid problems, follow these basic guidelines when choosing your password:

Password Length Number of Passwords (Upper/Lower Case, Numbers and Punctuation) Time to Try All Combinations (1,000,000 trys/second)
1 94 94 us
2 8,836 8.83 ms
3 830,584 0.83058 sec
4 78,074,896 78.0749 sec
5 7,339,040,224 2.0386 hours
6 689,869,781,056 7.9846 days
7 64,847,759,419,264 2.05 years
8 6,095,689,385,410,816 193.16 years

What Are Some Strategies for Choosing a Good Password?

Use lines from a childhood verse:
Verse Line: Yankee Doodle went to town
Password: YDwto#town

Use lines from a favorite song:
Lyric: How Much is that Doggie in the Window?
Password: H$itditw?

City Expression:
Chicago is my kind of town
Password: CimYKot!

Foods disliked during childhood:
Food: rice and raisin pudding
Password: ric&raiPudng

Note: Obviously, you shouldn't use any of the passwords used as examples in this document. Treat these examples as guidelines only.

How Can I Avoid a Bad Password?

Avoid passwords that would be easy for anyone to guess. Don't use: Transformation techniques: transformation techniques often generate easy to guess passwords and are not recommended. For example:

Technique: Transliteration
Illustrative Expression: photographic
Password: foTOgrafik

the problem here is that hackers with dictionaries are capable of automating the same transliteration techniques, automatically replacing 'ph' with 'f', 'c' with 'k' or visa-versa

Technique: Interweaving of characters in successive words
Illustrative Expression: iron horse
Password: ihrOrnSe

This is probably a better method than transliteration, however, it is still fairly for a hacker to have a program interleave two short dictionary words.

Technique: Substitution of synonyms
Illustrative Expression: coffee break
Password: jaVa*rest

This particular password is still just the concatenation of two short english words and would be fairly easy to find with a password cracking program.

Technique: Substitution of antonyms
Illustrative Expression: stoplight
Password: star$daRk

see above.

How Often Should I Change My Password?

It is time to change your password if:

How Do I Change My Password?

 From a Unix Machine (including acpub)
  1. Connect and log in to the system in your usual manner.
  2. At the Unix prompt, enter the command passwd and follow the prompts to change your password.
To change your NetID password via the web, you can use the Online@Duke link.

What If I Forget My Password?

 If you forget your password, all is not lost.
Campus users
You can use the self-service password reset application if you have previously set your challenge questions, or
Contact the OIT Help Desk at 684-2200 for assistance with
  • acpub Unix system
  • Enterprise Systems (authentic log-in)
  • the administrative enterprise server (sysa)
  • DAFT and BPA
Medical Center users
Contact the MCIS Help Desk at 684-2243.
Users of Departmental Systems
Contact your departmental system administrator.
You may be required to appear in person and show valid picture ID.

Beginning in August 2004, the University IT Security Office will run a password cracking program against all Duke NetIDs on a quarterly basis. The process will be: