Unix Manuals

Choosing a password

NOTICE - New forum for all UNIX learners, users and programmers - click here

Each user ID on a UNIX® system should have a password. (It is possible to set up user IDs without a password - however, now that so many computers are connected to the Internet and security is a risk, this is very rarely done!)

When your system administrator first gives you your user ID, you will also be given a password.

The first time you log on, you should change this password, so that only you know it. The system may even force you to change it the first time you log on. For details of how to change your password, see Changing your password.

There are three main things to consider when choosing a password:

1 - It must be secure. No one else must be able to guess it.

Firstly, never use obvious passwords, such as a partner's name, name of a pet, car registration number, holiday location, name of a film star, etc. If someone is trying to gain access to your user ID, these are the first things they will try! It is amazing the number of major computer 'hacks' that have succeeded, simply because a user has had their password set to their partner's name - a hacker will get in on the first attempt!

If someone is trying hard to get into your user ID, they may use a technique known as 'cracking' your password. This involves using a computer program to try every single dictionary word, to see if it is your password. To avoid this, don't use any word as a password - instead use the initial letters of a sentence or some other string of characters that will not appear in a dictionary. See examples below.

2 - You must be able to remember it.

There is no point in having the most secure and hard-to-guess password, if you can't remember it: You'll end up writing it on a sticky note and sticking it on your screen! I have seen this countless times on visits to sites. Choose a password that you can remember.

3 - Change it often.

If someone breaks into your house, at least you normally know about it, even if not until after the event. But if someone has guessed your password and is using it, you may never know. If you are lucky, they may decide not make any changes - they may simply read your files, access other parts of the computer that you have access to, and leave quietly. They may do this over and over again, over a period of months. The best way to avoid this is to change your password regularly. How often depends on the level of security you need. As a bare minimum, never have the same password for more than a month, although changing it once a week is better. Some secure systems, such as banks, have passwords that change as often as once every hour. Try to stick to a system - for example, change it every Monday morning as your first job, or last thing before the weekend.

Notes and Examples.

Enforced Systems

Some systems enforce some of the rules above. For example, they may not allow dictionary words to be entered. They may force numbers or punctuation marks to be used, to make the password harder to guess. They may also force you to change the password on a regular basis. These rules may seem annoying, but they are for the good reasons laid out above. Your system administrators are obviously security conscious, and are providing the best level of security they can.

Things not to use

A hacker will always try a list of obvious words first, and they often succeed. Certainly avoid all of the following, and all variations:

If possible, avoid any word that will appear in a dictionary.

Things to use

The most secure passwords are a mix of letters, numbers and punctuation marks. Try to use at least 8 characters. To help you remember these 'hard passwords', design them to be the initial letters of a sentence. Replace some letters with numbers, e.g. 'O' = '0', 'S' = '5', 'I' = '1', etc. Look at the following examples:

I remember my password by: Password is:
Two Plus Three Equals Five 2+ThreeEF (could also use: TplusT=5, sumTP3=F, etc).
Bryan Adams - Summer of 69 BA-S.o.'69
To Paris for a holiday 2Paris4Hols (or TPari54ho1s)
Hot Air Balloon H0t!A1r!Ba1100n

Of course, we don't need to say it: Don't use any of the examples above!

When you change your password, don't always use the same scheme. For example, if your old password was based on the 'Summer of 69' example, then don't use another Bryan Adams song (or even any song!) as the basis for your next password. Think of something different.

First Line of Defence

Although it seems simple, by choosing a good password, you have just broken the hackers' easiest route into the system. More successful hacks take place by guessing passwords, than by all other methods put together. Take a bit of pride in choosing your passwords - you are the first line of defence. Never let anyone guess one of your passwords, or find one written on your monitor!