October 2, 2006
Tips offered on picking good passwords, avoiding viruses
By Julie Goldstein
Information Technology Services
October is National Cyber Security Awareness Month, a good time to think about how we can better protect our computers, our information, and ourselves.
|This article is the first of a two-part series. If you are in doubt about a cyber security issue, contact the ITS Support Center.
Passwords are an important part of computer security. Compromised passwords cause a number of problems at UCSC, including compromised systems and unauthorized access to data.
It is important to have good, hard-to-guess-or-crack passwords and to keep them secret and secure.
In fact, this is number one on our Top Ten List of Good Computing Practices
In general, passwords should:
• Use a mixture of upper- and lower-case letters, numbers, and symbols,
Be at least eight characters in length (or at least 10 characters if they don’t use the different types of characters listed above),
Not be a word found in the dictionary, spelled forward or backward, or a word preceded or followed by a digit (e.g., secret1, 1secret).
To make them more difficult to guess or crack, passwords should also:
Not include your user name or login name.
Avoid including personal information that someone could know or find out about you, such as names of family, places, pets, birthdays, address, hobbies, information about your car, etc.
Avoid words that are slang, dialect, jargon, etc.
Avoid common keyboard sequences, such as "qwerty89" or "abc123”
One method to create a good, cryptic, memorable password is to create a passphrase. A passphrase is a complex password created by stringing together letters from a phrase, like a song title or a line from a movie. For example, the phrase "This May Be One Way To Remember" could have the associated password "TmB1w2R!" or some other variation.
Protecting your passwords
Keeping your passwords secret and safe can be just as important as creating good passwords. Tips include:
Never share your password with anyone else.
Avoid writing passwords down. If you have to write something down, try to write it in a way that others won’t be able to decipher – and store it securely.
Use different passwords for your different accounts. That way if one of your passwords is compromised, your others are still OK.
Change initial passwords, password resets, and default passwords the first time you log in. These passwords can be extra vulnerable.
Don’t let your applications or browser remember passwords that provide access to sensitive systems or data. That way if someone gets into your computer they don’t also automatically get into all of your accounts.
For more information about passwords, see the UCSC Password Strength and Security Guidelines. Another good resource is at StaySafeOnline.org.
Viruses, spyware and more
Viruses, spyware, and other malicious programs are another threat.
A malicious program is any software that performs unauthorized activities on a computer. Viruses and spyware are types of malicious programs. Viruses can slow your computer's performance, cause a crash, allow spammers to send e-mail through your account, or even destroy your data. Spyware can also slow computers down, make web browsers go to sites you don’t want to go to, spy on keystrokes to capture passwords or personal information, send you pop-up ads, monitor your Internet activity, and generally cripple computers.
Malicious programs can come from various sources, such as e-mail attachments, Internet links in e-mail or pop-up windows, or bundled with other programs (typically free programs) without your knowledge. Fortunately, there are a number of things you can to reduce your chances of being infected.
Two key practices to help protect your computer from viruses, spyware, other malicious programs, and even some hackers are:
Use antivirus software, and always keep it up to date. (Anti-spyware software is also a good idea, though this is not supported at UCSC at this time.)
Make sure your operating system and applications have all current updates (patches). Set your programs to auto-update, and be sure to install updates when they are released.
Don’t download files or applications from an unknown source or web site. Sometimes free software, files, tools, and gadgets come with more than you bargain for.
Don’t open unknown or unexpected e-mail attachments. Always check with the sender first if you are unsure.
Don’t click on links in unsolicited e-mail. E-mail links may take you somewhere different than where they say they will, and it’s possible to make phony web pages that look legitimate. If you want to investigate something further, look the topic or company up separately (e.g., do a Google search) and type the web address directly into your web browser.
• Don’t click on links in pop-up ads or windows. Use your web browser’s pop-up blocker, if it has one, to help prevent these ads from getting through.
Don’t open files sent via instant messenger (IM). IM tends to bypass antivirus scanning, making it easier for these files to infect your computer.
It is important to remember that each one of us has a key role in keeping our computers and information secure.
Additional computer security awareness information is available on the ITS Security Awareness web site, including:
A Top Ten list of good computer security practices
Information about how to protect sensitive data
Index of additional information
Other excellent cyber security resources include OnGuard Online and StaySafeOnline.org.