Creating Strong Passwords

Good, strong passwords can help to protect University security in a number of different ways. Windows 2000 and XP machines, for example, all have an administrative account that grants full access to the PC system. Additionally, some machines have user accounts that are defined as Local Administrators. Users that operate computers while logged in as the Administrator (servers), Local Administrator, or with a log in that has full local administrative rights leave the entire system open if hacked into by outside sources. While running a PC with a login that has full administrative rights is highly discouraged, it is a reality that it occasionally happens. Without strong passwords, these machines can be easily compromised. Once compromised, the Tufts network and connected machines also become vulnerable

The following information is derived from the UIT Training and Documentation's Local Area Network Password Creation Guidelines tip sheet. Click here to view the password tip sheet or here to view the extensive list of documentation and tip sheets available from the UIT Training team.

Tufts Password Requirements
* Effective 3/22/2005

Strong password rules and requirements improve the security for everyone in the Tufts computing community. Listed below are the requirements and guidelines you must follow when selecting a domain password:

Minimum password length is 8 characters (can contain more).
Password history is 24 - Your previous 24 passwords are invalid and cannot be reused.
Passwords must not match any portion of your user name (UTLN; ex: jsmith01)
Passwords must not match any portion of your full name.
Can not use the words password, change, temporary, or Tufts.
Cannot use 4 or more repeating characters -

example: hhhh, 1111, AAAA, $$$$

Passwords must contain the following:

At least 1 uppercase character
At least 1 lowercase character
At least 1 numeric digit
At least 1 special character -

example :

In addition to these requirements, passwords should:

Never be shared, written down, or e-mailed to others Be easy to remember (for you, not others!) -
The temptation to use loved ones names, birthdays and anniversaries is great. But "easy to remember" can also become "easy to guess." And, in a world where hackers use sophisticated software to crack passwords, an easy password is an open invitation. The challenge is to create something that is memorable for you but tough for others to decipher.

Be changed frequently - The Tufts domain requires a password change every 180 days.

Be altered when used for multiple applications - A common trick is to integrate the application description into a base password that does not change, such as 1!T%@p ("I love to look at paintings"). When used for database access, it might change to d1!T%@pB; used for ISP access, it might change to W1!T%@pb.

Password Tricks - Using Mnemonics to Create Memorable Passwords

One way to create a memorable password is to use mnemonics disguise personal information in a way that is logical for you. Write out a sentence that has personal meaning for you. Then, take the first (or last) letters and mix with numbers and symbols to create your password.

Example #1:

"You donated five thousand dollars to Tufts University in 2001"
Becomes: Yd$5TU01
Capital "Y"; lower case "d" replaces " donate"; $5 replaces " five thousand"; capital "T" replaces " Tufts"; capital "U" replaces "University"; "01" replaces 2001.

Example #2:

"We have a girl who is 17 and a boy who is 5"
Becomes: Wg#17b#5
Capital "W"; lower case "g" replaces " girl"; "#17" replaces " who is 17"; "b" replaces " and a boy"; "#5" replaces "who is 5."

Creating Strong Passwords

Password Tricks - Using Mnemonics to Create Memorable Passwords

Related Links

News