Information Technology

Passwords: Guidelines and Technical Requirements

Pepperdine Passwords

1. Use a passphrase instead!

 • It is easier to type/remember.

 • It is much more secure.

2. Never share your passphrase!

3. Don't use your passphrase on other sites!

4. Set a PIN (or password) on your mobile!

In this IT guideline and standards document you can learn very detailed answers to these questions:

Why is there PIN requirement for mobiles?

Faculty and staff are required to set a 15 minute timeout and password on any electronic device used to access confidential University information. This includes setting a timeout and PIN on mobile devices with access to University email. It is better security if you set a password or passphrase on the mobile. 

By University policy, access to confidential information, such as email or student/business records, must be secured by passwords that meet current IT standards. The current IT standard for mobiles is a PIN (4 digit numeric code). A person with physical access to your phone can decrypt PIN protected contents in minutes; therefore a password or passphrase is much better security. However, a PIN is designed to hinder someone who is casually accessing a lost/stolen phone from browsing the information on it.

Have a look at the top 10 phone PINs. Never use these PINs, because hackers and opportunists will try them first.

Four digit PINs are possible to guess by hand and certain to be guessed by a machine.
  • Don't use 4 consecutive or 4 of the same digits.
  • Turn on the feature that wipes your device after 10 guesses.
Where you can, use an alphanumeric passcode
  • Turn off the 'simple passcode' and enable alphanumeric passcode.
  • Combine digits and letters for your passcode.

What makes a password strong?

Strong passwords take a hacker with lots of computing power a very long time to guess. To enforce some basic elements of strong passwords, IT has instituted some technical requirements (see below).

Not all passwords that meet our technical requirements are strong!

Generally speaking, you can consider that if a word is in the dictionary, it's in the hacker's toolbox as well. You can also assume that anyone targeting you will use any publicly available information about you, be it words, names or numbers, to hack your password. Have a look at the 50 most common passwords discovered during an Internet compromise in 2011. Never use these passwords, because hackers and opportunists will try them first!

Use the tips below to create a good, strong password, that is nearly impossible to guess. 

DON'T use common passwords and password components

Avoid passwords based on well known passwords, or similar passwords. These examples have been found on dozens to thousands of accounts at Pepperdine - don't use anything like them!

  • Waves123
  • Password!
  • Autumn09, Spring2012 and similar
 

DO use a long password with special characters

Use a long password. When it comes to strong passwords, longer is better. Therefore, a passphrase is generally stronger than a password. Even adding a few characters makes a big difference. A twelve character password is potentially 30 million times stronger than an 8 character one.

Use special characters in your password. Many passwords have upper and lower case letters and numbers. That's good! Adding special characters makes a larger 'password alphabet' and makes your password even stronger. The term 'special characters' as used by IT includes the following:

space ! @ # $ % & ^ ~ _ * - = + ` ' " , . ; : ? | / \ ( ) [ ] { } < >

 

 How can I make an easy to remember secure password?

Creativity and fun helps you make a strong password that you can more easily remember. Before committing to a password, make sure its one that isn't too hard to type!

Use a pass phrase instead of just a pass word

A passphrase is the best password available. It's length makes it very hard to guess, when coupled with capitalization, numbers & symbols. In addition, it may be easier for touch typists to enter a passphrase rather than a password.

One method for creating a passphrase:

  1. Choose a phrase you can remember, but not one you say or write frequently, and not the ones in this example, for instance:
    All for one, and one for all!
    Buy low, sell high.
  2. Add or change characters so that its not a verbatim proverb (and add capitalization, numbers and/or special characters:):
    all for One - One for all
    Buy low & sell 2 high.

Use a memorable sentence or a group or words to create a cryptic password

If you prefer a password, here are two easy methods to creat a strong one.

Sentence method for creating a password:

  1. Choose a phrase, quote, proverb or cliche other than the one in this example, for instance:
    So long, and thanks for all the fish.
  2. Take the first letters of each word in the phrase:
    slatfatf
  3. Add capitalization, numbers and/or special characters:
    slatfatF\3
Word group method for creating a password:
  1. Choose two or three memorable words other than the ones in this example, for instance:
    bear gates
  2. Add capitalization, numbers and/or special characters, for example:
    7bear gateS
    Bear7gates
    /bearg Ates

Keep your password secure

Three absolute rules to follow to keep your password secure (per CNRUP Security and Privacy section):

  1. Do not use your University passwords, or anything like them, on other systems.
  2. Do not share your password with anyone, including supervisor, co-workers or friends.
  3. Change your password immediately if you suspect it has been compromised or disclosed.

Use the network ID portal securely

The Network ID portal allows you to set up secondary identifiers used to change your password, in case you forget it. Follow these guidelines in managing your Network ID profile.

When using mobile numbers as a secondary identifier: If you lose your phone, access the Network ID portal immediately and change to email or secret questions for your secondary identifier. Be careful when loaning your phone to others to make quick calls. Do not use this method if you give your phone to others to use out of your supervision.

When using external email as a secondary identifier: Remember that you are not to use your Pepperdine Network ID password on external accounts, so choose a different password for your external email account, but make it strong, too. If you lose access to your external email account or it is broken into, access the Network ID portal immediately and change to mobile number or secret questions for your secondary identifier. Do not use this method if you share your external email account with others or if you leave your external email account logged in unattended.

When using secret questions as a secondary identifier: Choose the questions that you know the answers to, but that few others may know. Consider making up one or more answers, if you can remember them.

Storing your password(s)

It is best to memorize your password, but you may write your password down while you're learning it. This may seem counter to security, but it is sound security advice and this is the way to do it:

  • Place it inside your wallet.
  • Do not label it or otherwise indicate it is your password.
  • Destroy it when you no longer need it.

If you have many different passwords to remember, consider a password manager that uses real encryption. A password manager is software that stores all your passwords under a single password. The Information Security Office has evaluated the following free products and concludes they are using proper encryption. These products are recommended, but not supported. See the following web page for more information: https://community.pepperdine.edu/it/security/password/passmgrs.htm

Technical requirements for a strong password

Information Technology has put in place some technical controls to enforce strong password basics. Network ID passwords have different requirements than PGP system passwords.

Passwords for your Network ID

The University requires every holder of a Network ID to compose a unique network password for that ID according to standards set by Information Technology (see Computer and Network Responsible Use Policy). The current IT standards for password composition (August 2009) are that every password meet the following complexity criteria as to length, characters and source.

  • Length - A password must have a minimum of eight characters
  • Characters- A password must contain three out of the following four types of characters:
    • Upper case letter
    • Lower case letter
    • Numeral
    • Punctuation or symbol or space.
  • Source- Passwords must not:
    • Include your Network ID name
    • Match one of your five previous passwords

Passphrase for your PGP encrypted disks

For persons storing restricted information on their computers, the Information Classification and Protection Policy requires disk encryption. IT supports enterprise PGP Whole Disk Encryption (WDE) for this policy-mandated requirement. Technical requirements for PGP WDE passphrase are:

  • Length: 20 or more characters.
  • Complexity: Meets the PGP calculated complexity of 60% or more.
    (The PGP software will calculate this complexity percentage for you and give real time feedback as you type).
  • Composition: Must not resemble or be based on your Network ID password.

Expiration & Lock-out Technical Requirements

Passwords for your Network ID will automatically expire 365 days after your last password change. A user may change his or her Network ID password at any time and does not need to wait for the automatic expiration. If a user believes their password may have been compromised, they should immediately change their password at https://myid.pepperdine.edu and notify the University's Information Security Office (310-506-4040) or the Pepperdine Help Desk (310-506-4357).

Change or RESET Your Network ID Password

NOTE: If you have entered your password into mobile devices or email programs that periodically log in with that password, you may be locked out of your account if you don't disable your automatic logins before changing or resetting your password. Typical places where this happens are smartphones and non-outlook desktop emails, running in IMAP or POP modes.

To change your password follow these steps:

  1. Access the MyID Password Management page at: https://myid.pepperdine.edu
  2. Click to select CHANGE PASSWORD
  3. Follow the instructions on screen.

In case you forget your password, follow these steps:

  1. Access the MyID Password Management page at: https://myid.pepperdine.edu
  2. Click FORGOT PASSWORD
  3. Enter your NetworkID
  4. Complete the Word Verification step
  5. Click the check box to receive a text message with your PIN code and then click Request PIN.
  6. A PIN will be sent to your mobile phone or alternate email address.
  7. Enter that PIN in the Validate PIN box
  8. The system will prompt you to enter a new password and you will be done.

[updated September 2013 by IT COMM]

Please Log in to post comments

blog comments powered by Disqus