The rise of computer networking at Virginia Tech provides the campus community with better access to computing resources. Unfortunately, it also provides access to would-be computer vandals, both on and off campus. If you are an account holder on a multi-user machine, then it is your responsibility to keep your account and your work stored in that account safe against unauthorized users. This is normally done by means of a password - a short series of characters meant to identify authorized users. This paper provides guidelines for selecting and maintaining a good password.
One way that a vandal can learn your password is by seeing it - either because they watched you type it in, or because you wrote it down. You should avoid writing passwords as much as possible, and certainly don't put a written password in plain view. The best way to avoid trouble is to pick a password that you will remember. This is the main reason why modern systems usually let you pick your own password - so that you won't need to write it down.
To understand how to chose a password, it helps to understand how vandals usually break in. The main way that passwords are broken is by simple guessing. This means that at the least, you should pick a password that can not easily be guessed. For example, don't use the account name as the password. Don't use your own name, or nickname, as the password. Even people who don't know you personally may be able to guess that. Don't use such words written backwards - that's the next thing they will guess.
Vandals can also use a computer to automate the guessing process. If your computer is on the network, they might program another computer to repeatedly attempt to log in to your account. This is actually not very effective, both because it is easy for systems administrators to spot this activity and because the process is too slow to try many passwords. The most sophisticated way normally used to guess passwords is an automated password matcher. Some computer systems, most notably UNIX, store passwords in encrypted form. When you log in and type your password, it gets encrypted in the same way, and the encrypted form of your password is compared against the encrypted copy on file. If the encrypted forms match, you are allowed in. A potential vandal can easily get a copy of the password file. It is easy to find or write a program that simply generates many passwords, encrypts them, and checks for a match. But, it turns out that there are too many possible passwords to try more than a small fraction of them. So, the vandal can only try a relatively few best guesses (where ``few'' can mean many thousands). These best guesses are often the contents of an on-line dictionary of common English or other language words, or literary terms. Such programs can guess about 30% of typical user's passwords.
How can you protect yourself against such attack? The best way is to pick a password that is not a common English (or other language) word, a common name, or something else likely to be in an on-line word list. You should also make sure that your password is six or more characters long, and that it contains at least some upper case letters, punctuation symbols and/or digits along with some lower case letters. This simple precaution will eliminate virtually any possibility of your password being ``guessed''. Using the first letter from each word in a phrase can also give you a safe, easily remembered password.
Two final cautions: NEVER use your normal password on a bulletin-board system! Very often these passwords are stored in clear text on that machine, and are very easy to locate. NEVER store your password in a computer file, and NEVER send it by e-mail. Such files and e-mail messages can easily be read by others.
Every multi-user operating system has some provision for keeping other users from reading or changing your files. However, you cannot assume that your account has been properly set up to automatically protect any new files that you create. You should learn how file permissions work on your computer, and verify that your account is safe. The alternative is to risk losing files or letting the world read your private information.
A growing number of students living in the dorms own their own UNIX machine. A SLIP account provides such machines with access to the Internet. If you own or use such a machine, you should realize that any of the millions of Internet users has the ability to reach your machine just as easily as you can reach other machines on the network. Thus, your machine is now particularly vulnerable to attack. Sticking to the password usage guidelines explained above should protect your account from vandals. If you are a system administrator (which in this case is usually the owner of the machine), then you must also be concerned about security for all accounts on the machine, including the various system accounts that come pre-installed. Pre-installed accounts are often the most easily attacked, since they come with a standard password that may be common knowledge. Before you put a machine onto the network using SLIP, you should first make sure that no system account has the default password. The means that you should change the original password on all accounts when you get your machine. You should also make sure that all system accounts and user accounts have secure passwords, which may require sharing this document with your users, and training them to develop good security practices.
COMPUTER SECURITY CHECKLIST
World writable directories and files allow other users to use your directory for whatever they wish. World readable files allow users to read your sensitive information. While most accounts should already be set up so that others won't have access to your files, you should learn about file permissions on your computer and verify that your account is protected.
If your machine is running SLIP, or otherwise connected to the campus network, DO assume that anybody in the world can try to log into your machine.