A good password is easy to remember but difficult to guess. It should be easy for you to remember without writing it down and difficult for both people who know you and anonymous password-crackers to guess.
Strong passwords can be easy to remember
A simple way to create a strong but easy-to-remember password is to take a phrase that means something to you and relate each word of the phrase to a corresponding letter, number or symbol. For example, the phrase "I am one happy student at Princeton University" could become the password Im1Hs@PU
IMPORTANT - The above password has only been shared as a technique for crafting a strong but easy to remember password. You should NOT use Im1Hs@PU as your own password nor should you use any sample password shared in any other password guide. Prospective intruders often review password guides when compiling their lists of passwords to try.
Good password practices
- Use different ID and password combinations for different websites.
- Avoid sharing passwords.
- Change your password regularly.
- Avoid writing passwords down, but if you must, mask it, keep the piece of paper in a safe place and do not include related data, such as your username or the site name.
- Commercially available password management software can keep your passwords in an encrypted, password-protected file. Some products can save the file in the "cloud" allowing users to share passwords among multiple computing and mobile devices. Check with your IT support person or the OIT Help Desk at (609) 258-HELP to ensure the quality of the product.
How are passwords commonly exposed?
User carelessness - Writing passwords down, carelessly sharing them with colleagues, leaving them blank or equal to their default values, or making them trivial (e.g., "password", "p", "passwd", "aaaaaa", "123456", "qwerty", your NetID) are the riskiest password practices.
Inside knowledge - People who know something about you have an inside track toward guessing your password when you use a piece of personal information as your password (e.g., name, office location, birth date, name of a family member, pet name, organization, phone number). Additionally, if you use the same password for Princeton University as you do for any computing service outside of the university, (e.g., AOL, Yahoo), your Princeton password could be exposed if their systems are compromised.
Dictionary attacks - A dictionary attack is a method of breaking into a password protected computer or server by systematically entering every word in the dictionary as a password. Dictionary attacks work on passwords that are simple words. There are also enhanced dictionary attacks that have dictionary-based words preceded or followed by a number or symbol, such as "3Amigos" or "Apollo7"), or have words substituting zeros for the letter "O" and the symbol "@" for the letter "A". These tools exist in virtually every language, so using a non-English word as a password is equally risky. Avoid the dictionary attack with a random combination of numbers, letters, and symbols.
Brute force attacks - When all else fails, determined individuals will execute programs to try all possible password letter, number and symbol combinations. Short (i.e., less than 8 characters), trivial (e.g., “password”) or uniform passwords (e.g., all lower case alpha) can often be broken in seconds while longer, more complex passwords could take months to break.
How do I change my password?
You can change your password for any of the University's core systems (e.g., Windows, e-mail, UNIX, centrally-managed Web systems) by visiting the following web page:
When logging into our online password management facility, PUaccess, use your netID and e-mail password (also known as your directory or LDAP password). If you have questions, please contact the OIT Help Desk at 609-258-4357 or firstname.lastname@example.org.
Passwords should not be shared
Sharing your password is almost always a bad idea. The person who you share your password with can then access your personal files, view or change data about you, or send emails in your name.
Most systems today have features that permit the sharing of information by multiple individuals with each individual accessing that information with his or her own password. The need for you to share your password with someone else is extremely rare.
In the event that multiple individuals need to share computer resources in a manner not covered below, please contact the University's IT Security Officer, Anthony Scaturro, at email@example.com to discuss appropriate alternatives.
Alternatives to sharing passwords:
To allow someone to review and respond to an email:
You can usually delegate access to your email folders under "Account Settings."
To collaborate on files and folders:OIT offers three departmental file sharing services:
- Shared network folders on the Central File Server
- SharePoint sites
Access to folders in any of the above services can be managed by departmental staff members authorized to administer the shared folders. Once authorized, users can post documents and share them with other authorized users
To retrieve a file for an unavailable staff member:
Authorized system administrators can access files on network shares and local hard drives. However, data stored under user profiles should not be accessed without the prior authorization by the department manager.
To delegate the maintenance of personal websites:
Permissions to manage a website can be granted to anyone with a valid NetID by the website's administrator. If you do not have administrative privileges to the web site, contact your web administrator to grant the required access.
To delegate access to the Web Grading System:
Contact the OIT Help Desk at 8-4357 (HELP, line #3) so that access can be granted, through PeopleSoft permissions, for an administrator to help with the online Student Records System without sharing your password.
To delegate the ordering of office or laboratory supplies to research assistants or secretaries:
Access to PeopleSoft for ordering purpose can be granted to administrators and research assistants easily, so that you do not have to share your password. Contact the OIT Help Desk at 8-4357(HELP, line 3) to have PeopleSoft access granted to others.