« Back

Password requirements and recommendations

The length of the password must be at least 10 characters, preferably more. Anything under 16 characters is considered a short password, actually nowadays the right term should be passphrase. There should not be any á, ä, ö or å etc. letters in the password, since there might be problems with these characters (if used in a password) in some systems. Also following five characters  ‘ ” ¤ % & are better to be left out from passwords, as some systems have problem them (of course you are welcome to use them whenever but remember that if you have just changed your OUAS password and you are able to log in to some of the systems but have problems in logging to a certain service only, you should then try to change the password again, without the problem characters and then you might be able to log into all of the systems again). Upper case and lower case letters are considered as different characters. According to the complexity requirements, your password must fulfill three of the next four items:

  • a lower case letter
  • an upper case letter
  • a number
  • a special character

In case you choose to use a shorter than 16 characters, remember that then it is especially important that it does not mean anything (it should not be found from dictionaries), and should not be a name, user name or any logical or otherwise known series of characters (for example, qwerty, 12345, abcde, a phone number or identity number). So that you know; you cannot use your own name as a password, it is technically prevented. (Besides, that would be a terrible password anyway!) Also, the system will not allow you to use your three previous passwords again as a new password.

The password is meant to be known only by you. You must never give it to someone else. E.g. the IT service staff will never ask you what your password is. In case you get a mail that seems like it comes from the IT services, and it asks you to send your password, the mail is a scam. Do not write the password down (at least in a way that is understandable to someone else).


OUAS’s Information Security Officer says his view on what is a good password and how the passwords can be cracked:

What should the password be like and why you need a separate password for every service? During the years, people have been taught to create passwords that are difficult to remember but regrettably nowadays those passwords are easy to break with present day computers. Typically, a password like this one ”Hd28dc2Gq” is represented to be a good password. Unfortunately this is not true any more. Actually that password is not that bad but it is not a real good one either. According to the present recommendations, the password should be at least 12 characters long and the password should consist of upper-case and lower-case letters, numbers and special characters. The password should not be an individual word of any language. Nor should it be any known sentence, even when seasoned with a few numbers or with special characters.

Questions and answers:

How do the crackers break the passwords? Very often a security breach leads to stealing of the register that holds the user names and passwords of the service. Depending on the service, the passwords are usually recorded as hashed passwords (a compilated form of the passwords) which means the passwords cannot be read as such. However, with the help of today’s system process power, the crackers can easily solve weak passwords using brute force and dictionary attacks. In case your password is strong enough, it will not rip very fast (if ever).

Why must I have a separate password to all of the different services I use? If your username and password of a service fall in the wrong hands, a cracker might try to enter it to other services. E.g. If a cracker is able to solve your password to a system and is then able to access your account on that system, then he/she might also have access to your contact information that you have on your account. If you have given your  OUAS e-mail address as your contact information, the cracker might try to find out what services OUAS has and then try to log in to an OUAS service with your username that can be seen in your e-mail address (unless you used the longer alias with your whole name) and try to use the password he/she managed to solve from the cracked service: if it happens to be the same, the cracker can enter OUAS systems with your privileges.  The same applies of course in the case you have given your gmail address as your contact information to the cracked service, then the cracker may be able to access your Google account if you happen to use the same password for Google as you do for the cracked service. Also, you should remember the fact that you can never be sure about the security of the services you use and how well your password has been protected. In the worst case some web service may save your user name and your password in the database as such (in other words without any encryption). If you lose a user name and password that are unique and then not usable in other services, the damages will be restricted only to the cracked service.

Why the password should not be any known sentence, a word of any language or something else that is easily remembered? Because the crackers take this into consideration. Those, who break passwords (for some, it is a hobby) get huge amounts of text samples collected from the net and then use those samples as help when breaking passwords. For example, with a modern ATI graphics adapter, it is possible to try out password options against passwords encrypted with Truecrypt in the speed of about 10 million options a minute. The crackers typically have several processors or a network of computers in use to speed up the process. A word of the known language or simple sentences rip fairly fast. The types of software crackers use, are also able to combine ordinary words and individual letters and numbers so the password ”Volvo4ever” is not a very good password, even though it might look like that.

Why the password must be changed at times? What if the passwords are stolen from a service and nobody notices it for months or years? Then the cracker has a long time available for breaking of the passwords. If the passwords are regularly changed, it might happen that a cracker faces a situation where she/he manages to crack your password, but it is already old and thus not useful for the cracker, as he/she is not able to access your account with it.

These facts sounds bad. What would a good password be like? It is difficult to answer this question without ambiguity. All the systems do not always give an opportunity to define a very complex password. The typical restrictions are the available characters and the length of the password. Fortunately, most services let the users to use at least 14-16 characters long passwords which consists of big and lower-case letters and numbers. With that combination it is possible to produce quite good passwords. It is important that a password is a random “hotchpotch” of numbers and letters, so it does not resemble any word with numbers used as punctuation.  Take a look at this password ”QaZWsXEdCRfVTgB”. Try to think why the aforementioned password is actually easy ? (Hint: Try to type it with a regular qwerty keyboard and you will see.) Some experts say that one should use words which are easily remembered but formed as long and confused sentences. This is possible only if the system lets one to define extremely long passwords. For example, this kind of a long password could be ”VitaminsIFedToTurtleWhoseNameWasHound”. That sentence could be used as mnemonic for a shorter password like this ”ViftTwnwH” and of course adding some random special characters and numbers is a good idea, so the final password could be e.g.  ”Vift6T)wnwH”.

But doesn’t this sound rather paranoid? Unfortunately , that is how the password issue nowadays is. Of course, common sense is always worth retaining, as in any case involving information security.
However, take a look at these examples of the passwords that have been mechanically broken in real life:

  • ”youcantguessthis password1980″
  • ” Ph ’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1″
  • ” The first printed books have a unique smell to them.”

Aforementioned examples are picked from these Ars Technican articles:

What is a two-phase identification? When you are successfully logged in a system that uses two-phase identification, it is not enough yet to control the account fully or even access the account at all if you are logging from a computer you have not used previously. E.g. when you try to change the password, the service will send you a text message (or a message to a mobile application) to your mobile phone that you have defined when you implemented the two-phase identification to the account. The message contains a short pin code that you must feed to the system within a certain time in order for the change to take effect. So in this case, if somebody succeeds in stealing your username and your password, they will not be able to take over your account as they do not have access to your mobile phone (unless of course the cracker happens to be e.g. your spouse..). Among others, e.g. Twitter, Google and Facebook use two-phase identification.  Here are the Google instructions: https://support.google.com/accounts/answer/180744?hl=en

« Back

This article was published in these categories: for staff, OUAS, GUIDELINE, Bulletins & Guidelines, for studentsand tagged , , , .Add a permalink to your favourites. Follow comments to this post with a RSS feed. Post a comment or leave a trackback: Trackback URL.
Log in to comment this article