Protecting Your Password 

1. Never share your password. It is your unique identity authenticator and is used in conjunction with your VUnetID or other UID to determine the access privileges you have on the computer systems at Vanderbilt.
2. Never give your password to a person over the phone. No one from ITS will call you and ask for your password. Some persons will masquerade as a system manager or University official in order to get your password and user name to attack systems at Vanderbilt. This is referred to as "Social Engineering."
3. Understand why you choose a certain type of Password. The randomness is to protect you from persons that would use wordlists and dictionaries to "guess" your password. The technique is to get your encrypted password from some source such as a system that has been compromised and to then compare your encrypted password against the encrypted words in the word list in an attempt to find a match. The length of your password is to make it more difficult to use "Brute Force" encryption breaking techniques to discover your password.
4. The use of your VUnet password from any other network outside of the Vanderbilt University community is a risk and can be an extreme risk. Almost all networks have problems with Ethernet sniffer programs that are used to detect and capture your password. The actual information captured consists of System, User ID, and Password so that the hacker can then assume your identity and all of your privileges on a given system. These types of connections can be made securely. Contact the VUnet Network Security Officer for information on securing external connections.

Report any problems related to the security of your account or password to the ITS Help Desk at (34)3-9999

Reusable Passwords

Reusable passwords are a necessary part of the computing world today. Hopefully as technology evolves other more secure mechanisms will be broadly used. Until that time it is very important that reusable passwords be selected, protected, and used properly.

Basic Characteristics

1. Should be at least 8 characters in length, but no more than 14 characters and include at least one character from each of at least three of the groups in Section 2. The longer the password, the better, as long as you can remember it. The exception to the rule is that Apple Macintosh systems using OS 9 (Classic) or older software can typically handle only 8 characters for any application that is being authorized through the Mac's authorization system.
2. Strong passwords should mix characters from the different character sets:
   

   ABCDEFGHIJKLMNOPQRSTUVWXYZ

   abcdefghijklmnopqrstuvwxyz

   0123456789

   ~!@#$%^&*()<>?{}[]

3. It is important to remember that most passwords are case sensitive.
   

   SP4j57xX is considered different from sp4j57xx.

Good Passwords

Any computer user utilizing logic known only to that person can create a good password that cannot easily be guessed or cracked by computer programs that compare the password to dictionary list or other logical lists. This means that you can't use any words or sequences of letters, numbers, and special characters that are known to others and would appear on lists such as dictionaries from any language.

One type of password string can be formed by utilizing the first letter of a series of words along with the numbers and special characters to give an easily remembered string. Examples are as follow:

"Oh say can you see by (the dawns early light)"

could become

Oscysb$8

"Under the spreading chestnut tree the village"

could become

Utscttv_5

"Once upon a midnight dreary as I pondered"

could become

OuamdaIp5$

"How do I love thee? Let me count the ways."

could become

HdIltLmctw4$

Other good (non-guessable) passwords can be formed by utilizing initials of persons or pets in the password string. An example is as follows:

Mother's maiden initials - mre,
Grandmother's initials - rhg,
Number and character - $5
yields the password - Mre$5rhG.

DO's of Password Security

1. Do commit your password to memory rather than writing it down. Be innovative and create a password that can easily be remembered but not easily guessed.
2. Do change your password FREQUENTLY. At least every three months for normal usage and more frequently if your password is used to access VUnet from other networks such as other Colleges or Universities, businesses, etc.
3. Do mix numbers, special characters and both uppercase and lowercase letters in your password.
4. Do log out of your account when you are finished. This will keep someone from using your access and privileges.

DO Not's of Password Security

1. Do not share your password with anyone.
2. Do not send it in an email message.
3. Do not use your VUnet ID password as a password on a web site or subscription service.
4. Do not use words or names from any language.
5. Do not use words or names spelled backwards.
6. Do not use personal data, such as your name, birthdate, Social Security number, phone number, or address.
7. Do not use your VUnet ID as any part of your password.
8. Do not use passwords explicitly mentioned here as examples, sp4j57xx or Mre$5rhG for instance.

Examples of Bad Passwords

1. User name VW - Passwords beetle, rabbit, passat, etc.
2. User name ford - Passwords taurus, escort, etc.
3. Any user name - Passwords Susan, robert, sissy, buffy, or any other name.
4. Any user name - Passwords quantum, chemist, helpdesk, digital, manager, system, physicist, lawyer, etc.
5. Any user name - Passwords 12345678, 9999999, 666, or any string of numbers.