Skip over navigation

Passwords in-depth

Any individual who can determine your password has the ability to log into your computer account and:

  • read and potentially alter any piece of computer-based information to which you have access,
  • easily assume your identity while communicating via e-mail, chat, etc., and
  • potentially launch attacks upon other systems both on and off campus.
While some organizations needing a high degree of security use other methods to confirm a person’s identity, such as “smart” ID cards, fingerprints, handprints, retina, facial image or voice, these systems are expensive and are often impractical. Thus, passwords continue to be the most commonly used approach.

How passwords are commonly exposed

An individual intent on breaking into a computing environment normally needs a valid netID/password combination to gain initial entry. It is important to note that any netID, even a minimally privileged one, will suffice.

Once in the system, there are many tools available that will enable the intruder to increase his/her access privileges to the most powerful level. NetIDs tend to be either public knowledge or predictable in their format. To uncover passwords, intruders rely on the following:

User carelessness - Writing passwords down, carelessly sharing them with colleagues, leaving them blank or equal to their default values, or making them trivial (e.g., "password", "p", "passwd", "aaaaaa", "123456", "qwerty", your NetID) are the riskiest password practices.

Performing any of the above actions significantly increases the risk of an intruder accessing your personal resources and Princeton University’s entire computing environment with minimal effort or action on his/her part.

Inside knowledge - People who know something about you have an inside track toward guessing your password when you use a piece of personal information as your password (e.g., name, office location, birth date, name of a family member, pet name, organization, phone number).

Unacquainted individuals can also uncover such information if they can gain access to personal information collected by any individual or group, University-based or elsewhere. Additionally, if you use the same password for Princeton University as you do for any computing service outside of the university (e.g., AOL, Yahoo), your Princeton password could be exposed if their systems are compromised.

Dictionary attacks - Passwords are typically stored on computers in an encrypted form to mask their value. However, when you use a word in the dictionary or a given name as your password, it can often be uncovered in seconds, thanks to software available on the Internet known as a “hackers’ dictionary.” Tools of this type allow a determined individual to compare any encrypted password against the encrypted form of every word in the dictionary and every given name. If a match is found, the unencrypted form of the password is exposed.

Since these tools exist in virtually every language, using a non-English word as a password is equally risky.

Enhanced dictionary attacks - To counter the "hackers’ dictionary" threat, many try to strengthen their dictionary-based passwords by preceding or following them with a number or symbol (e.g., "3Amigos", "Apollo7"). Others alter dictionary-based passwords by substituting a zero for the letter "O", the number "1" for the letter "I", the symbol "@" for the letter "A", etc.

Unfortunately, the authors of "hackers' dictionary" software adapted their products quickly to address these countermeasures and have rendered such approaches ineffective.

Brute force attacks - When all else fails, determined individuals will execute programs to try all possible password letter, number and symbol combinations.

Short (i.e., less than 8 characters), trivial (e.g., “password”) or uniform passwords (e.g., all lower case alpha) can often be broken in seconds while longer, more complex passwords could take months to break.

Password practices to avoid

The following practices put your computer account at risk and should be avoided:

  • writing your password down or storing it electronically in an unencrypted file.
  • leaving any password blank or unchanged from its initial or default value.
  • making your password trivial (e.g., "password", "passwd"),
  • making your password repetitive (e.g., "aaaaaa", "aaa111"),
  • making your password sequential (e.g., "abcdefgh", "12345678", "qwerty"),
  • basing your password on your netID (If your netID is "qjones", do not use passwords such as "qjones", "QJONES", "QJones", "senojq", "qjonesqjones", etc.),
  • using the name of a family member, nickname, pet name, personal information (e.g., social security number, birth date) or word associated with your interests as your password,
  • using any word in any dictionary or any common given name (e.g., John, Mary, Tommy) as your password,
  • constructing your password by taking any word in any dictionary or any common given name and substituting numeric characters or symbols for similar looking alphabetic characters (e.g. "p@ssw0rd", "Chr15t0pher"),
  • building your password by following or preceding any of the above with by a number or symbol (e.g., "theater5", "1Elizabeth").

How to change your password

You can change your password for any of the University's core systems (e.g., Windows, e-mail, UNIX, centrally-managed Web systems) by visiting the following web page:

http://www.princeton.edu/changepassword

When logging into our online password management facility, PUaccess, use your netID and e-mail password (also known as your directory or LDAP password). If you have questions, please contact the OIT Help Desk at 609-258-4357 or helpdesk@princeton.edu.

Tips for creating strong, easy-to-remember passwords

The following password composition guidelines are enforced by PUaccess, our web-based password change facility, whenever an individual changes his or her University passwords.  However, we recommend that you consider following these guidelines whenever creating any password, on- or off-campus, to reduce the risk of any your passwords being compromised. 

  • Make your password at least eight characters in length.
  • Include at least one character from each of the following character groups:
    • upper case alphabetic characters (A-Z),
    • lower case alphabetic characters (a-z),
    • numbers and symbols (0-9),
    • symbols (~`!@#$%^&*()_-+={}[]|\:;"<>',.?/ ).
    Notes:
    1) Passwords may not include blank spaces or control characters, such as return, tab, back-tab, etc.
    2) Mac OS X users who store data on OIT's UNIX clusters should avoid using an ampersand (&) in their passwords. Including an ampersand will prevent the systems from connecting successfully.
  • Embed at least one number or symbol within the password rather than adding it to the beginning or end of an otherwise alphabetic string.
  • Do not make your password a dictionary word or common name with numbers and symbols merely substituting for similar looking alphabetic characters (e.g., "P@ssw0rd").
  • And remember to change your password regularly. This practice limits the amount of time that someone can use to guess your password and the amount of time that your password can be used if it is uncovered.

Strong passwords can be easy to remember

A simple way to create a strong but easy-to-remember password is to take a phrase that means something to you and relate each word of the phrase to a corresponding letter, number or symbol. For example, the phrase "I am one happy student at Princeton University" could become the password Im1Hs@PU

IMPORTANT - The above password has only been shared as a technique for crafting a strong but easy to remember password. You should NOT use Im1Hs@PU as your own password nor should you use any sample password shared in any other password guide. Prospective intruders often review password guides when compiling their lists of passwords to try.

Passwords should not be shared

Sharing your password is almost always a bad idea.  Remember that anyone, who can log into a system as you is you, as far as our systems are concerned.  He or she can access your personal files, view or change any data about you accessible through self-service facilities, send e-mail in your name, and other activities.  And if a virus or other piece of malicious software is encountered during his or her session, computer logs will note that the attempts came from you.  So, sharing your password can be quite risky.

The need for an individual to share his or her password with someone else is extremely rare.  Most systems today have features that permit the sharing of information by multiple individuals with each individual accessing that information with his or her own password. Usually, it is just a matter of following a specific procedure or setting up the system appropriately.

Below, we have listed a number of common situations that have prompted password sharing in the past.  In all cases there are far better alternatives to sharing in these circumstances, and we have described alternatives to allow you to protect shared technology resources more effectively.

In the event that multiple individuals need to share computer resources in a manner not covered below, please contact the University's IT Security Officer, Anthony Scaturro, at scaturro@princeton.edu, to discuss appropriate alternatives.

 

Alternatives to sharing passwords

How can I allow someone to review and respond to my e-mail?

There may be times when you wish a personal assistant or another user to access your e-mail on your behalf, whether on a temporary basis while you are on vacation or away at a conference, or even on a permanent basis. If you are an Exchange e-mail user, you can delegate access to your e-mail folders using the "Account Settings" tab under the "Options" menu in Microsoft Outlook.

How can faculty and staff collaborate on files and folders?

For collaboration, OIT offers three departmental file sharing services:

  • Shared network folders on the Central File Server
  • SharePoint sites
  • WebSpace

Access to folders in any of the above services can be managed by departmental staff members authorized to administer the shared folders.  Once authorized, users can post documents and share them with other authorized users.

How can a departmental administrator retrieve a file for an unavailable staff member?

Authorized system administrators can access files on network shares and local hard drives.  However, data stored under user profiles should not be accessed without the prior authorization by the department manager.

Can temporary employees work on departmental files?

Authorized administrators of departmental shared folders can add the temporary employee's NetID to file and folder authorized user lists, or they can add the temporary employee's NetID to departmental groups authorized to access those shares.

How can I delegate the maintenance of my personal web site to my assistant?

Permissions to manage a website can be granted to anyone with a valid NetID by the website's administrator.  If you do not have administrative privileges to the web site, contact your web administrator to grant the required access.

How can I work collaboratively with with my graduate and undergraduate students?

Within your personal storage space on the Central File Server (also known as your H: drive) you can create a folder to be shared, and set access permissions. If your department has a departmental server, contact your administrator to grant access for specific folders to specific users.

How can I delegate access to the Web Grading System?

Contact the OIT Help Desk at 8-4357 (HELP, line #3) so that access can be granted, through PeopleSoft permissions, for an administrator to help with the online Student Records System without sharing your password.

How can I delegate the ordering of office and/or laboratory supplies to research assistants or secretaries?

Access to PeopleSoft for ordering purpose can be granted to administrators and research assistants easily, so that you do not have to share your password. Contact the OIT Help Desk at 8-4357(HELP, line 3) to have PeopleSoft access granted to others.