Changing your password

When you receive your new account, you will get an email that tells you which machines you can log in to, your username, and a unique temporary password. Since this password has now been transferred via email (and potentially read by someone else), you should change it as soon as possible to something that you can remember.

On most unix machines you change your password using the "passwd" command. Simply enter the command, and it will prompt you for your old and new passwords.

Importance

It's very important to pick a good password. The majority of computer break-ins occur as a result of passwords being guessed, overheard, or even given willingly. It becomes a very big problem if any account gets compromised, since it's much easier for an attacker to gain access to the entire machine once they can get a command line.

This is why you should never share your password with anyone, write it down anywhere, or send it across a network unencrypted. Email, telnet, rlogin, and ftp all traverse the network with no encryption, making it very easy for anyone along the way to record your password. SSH is an alternative to telnet and rlogin that encrypts all communications, as well as adding some other benefits.

Choosing a good password

It's actually surprisingly difficult to pick a password that's difficult to crack while still being easy to remember so that you won't need to write it down. Programs that take a password hash ("encrypted" password) and try to guess what the password might be have gotten fairly complex. The increasing speed of computers also means that many more combinations can be tried.

To give you an idea of how to pick a good password, here's a description of what it will have to stand up to:

A password cracker works by taking large dictionaries of words, names, and terms, encrypting those terms, and comparing the result to your encrypted password. It will also try things like combining words together, adding numbers or other punctuation, and trying "1" for "i" and zero for "o". Dictionaries and word lists are widely available for this purpose.

To make sure our users' passwords aren't vulnerable to cracking, we regularly run a password cracker with many different types of dictionaries on all of the accounts, and notify users if their passwords get guessed. Here are some examples of passwords that have gotten cracked in the past:

      !jazzed                    e1nste1n
      .sanchi                    letmein!
      4rasta                     reznikov
      4yuriko                    satchmo1
      abc123                     turm01l
      balrog7                    zwenxia1
      cookies.                    

Do

• Mix capital and lowercase letters.
• Mix letters, numbers and punctuation marks.
• Make it easy to remember, so you won't need to write it down.
• Make it at least 6 characters long. 8 is much better.

Do Not

• Don't base your password on a word or name from any language.
• Don't base your password on your username, or the name of your spouse, pet, etc.
• Don't use all letters, or all numbers.
• Don't use any of the examples on this page!

Techniques

Finally, here are some techniques that seem to be effective for choosing good passwords:

• Take the first letter from each word of a song or poem. Example: "I'm dreaming of a white Christmas" becomes "IdoawC". Maybe add some punctuation if it doesn't look random enough: "Idoa!wC".
• concatenate two short words together with some punctuation and other changes, such as "rYe:Rain" or "bArk&kiTE".
• keyboard patterns can also be good, since they can be fast to type. These are a little more difficult, though, since common ones will also be found in the password dictionaries.

Back to the index