The weakest point in the security of multiuser systems is usually a weak password. If the instructions on this page sound like they are verging on paranoia, then they are probably also verging on security.
Choosing a password
Your goal is to choose a password that is easy for you to remember but difficult for others to guess.
To make a password difficult to guess, your password should:
- never be made up of words found in a dictionary -- any dictionary. A hacker does not need to know Finnish or Afrikaans to use readily available on-line dictionaries of those languages.
- never be based based on facts related to you, such as the name or birthday of a friend, or pet.
- never be based on examples in a guide to making passwords. All examples used on this page will be rejected in the St. Isidore of Seville lab.
- always contain a mix of aphabetic characters with other characters (such as punctuation marks).
One easy way to create a good password is to choose a line of poetry or easily remembered passage of literature and take the first letter of each word along with all punctuation. The opening sentence of Cicero's first Catilinarian,
Quo usque tandem abutere, Catilina, patientia nostra?
produces the marvellously unintelligible but easily recalled password
-- an excellent mix of upper and lower case letters with punctuation. A memorable passage in Greek further allows you to complicate matters by choosing your preferred transliteration scheme.
Although you should avoid choosing passages typically assigned for memorization (such as the first sentence of Lincoln's Gettysburg Address, or the opening of the Iliad), the possibilities of this method are unlimited, and have the beneficial side effect of rewarding you for reading and memorizing passages outside the range of commonly read texts.
This method also provides an easy way to give yourself a mnemonic prompt without writing down the password itself. A discreet reference to Cicero's Catiline might be enough to jog your memory if you were uncertain what password you had used for your account in the St. Isidore of Seville lab.
Using a password
In the St. Isidore of Seville lab, your password is never transmitted unencrypted over the network. You can confidently use it in the lab, or with secure shell connections to the lab from anywhere on the internet.
You should take care not to expose your password in other ways.
- never write down a secure password in plain text. If you have followed the method suggested above, you can easily jot a hint to yourself that will not attract attention as a password hint -- on a book mark tucked in a book, for example.
- never use a secure password with software that might transmit it in the clear (such as forms on a Web page, or, at Holy Cross, applications like the Novell suite). Use a (different) junk password for any application you're unsure about.
- never allow "helpful" applications to save a secure password so that you don't have to retype it: reserve this kind of help for the junk passwords that are transmitted in the clear, anyway.
Last updated: Feb. 28, 2012