Password Maintenance Policy

In an effort to provide secured and reliable computing environment to all the members of the KFUPM Community, and based on the approval of H. E. The Rector on the recommendations of the Computer Utilization Committee, the ITC has developed an enhanced password maintenance policy for both the Internet and UNIX accounts. We kindly request all our community to adherence to the following policy statements:

1. All users are advised to change their passwords for both the Internet and UNIX accounts once before May 15, 2001 for the first time, and must change them every three months thereafter. The Unix and NT systems will enforce the users to change the password in the due time. An earlier e-mail warning will be sent to users to remind them about the due date for the password change.
2. The new password has to fit in the following simple criteria:
   • Password must have at least 8 characters and the new password must be different from your previous password.
   • Password must consist of at least 2 Non-Alphabetic characters [Non-Alphabetic characters include: Numbers 0 to 9 and special characters such as !@#$%^&*()_+].

Password Selection Guidelines

The object when choosing a password is to make it as difficult as possible for a hacker/cracker to make educated guesses about what you've chosen. This leaves hackers/crackers no alternative but a brute-force search, trying every possible combination of letters, numbers, and punctuation. A search of this sort, even conducted on a machine that could try one million passwords per second (most machines can try less than one hundred per second), would require, on the average, over one hundred years to complete. The following guidelines for a password selection may be useful (from APS Online Journal password selection):

Some Do's

• Do use a password with mixed-case alphabetic.
• Do use a password with non-alphabetic characters, e.g., digits or punctuation.
• Do use a password that is easy to remember, so you don't have to write it down.
• Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.

Some Dont's

• Don't use your login name (username) in any form (as-is, reversed, capitalized, doubled, etc.).
• Don't use your first or last name in any form.
• Don't use your spouse or child's name.
• Don't use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, member society number, the brand of your automobile, the name of the street you live on, etc.
• Don't use a password of all digits, or all the same letter. This significantly decreases the search time for a hacker/cracker.
• Don't use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.
• Don't use a password shorter than six characters.

Although this list may seem to restrict passwords to an extreme, there are several methods for choosing secure, easy-to-remember passwords that obey the above guidelines. Some of these include the following:

• Choose a line or two from a song or poem, and use the first letter of each word. For example, "Let me take you down, 'cause I'm going to Strawberry Fields" becomes "LmtydcIgtSF". (Of course, only the first eight characters count.)
• Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that usually make excellent passwords. Examples include "bababuoy," "seeplip," and so on.
• Choose two short words and concatenate them together with a punctuation entity between them. For example: "cat;snow," "trip+car," "pill?dog."

The importance of obeying these password selection guidelines cannot be over emphasized. The infamous "Internet Worm," as part of its strategy for breaking into new machines, attempted to crack user passwords. First, the "Worm" tried simple choices such as the login name, user's first and last names, and so on. Next, the "Worm" tried each word present in an internal dictionary of 432 words (presumably the "Worm's" creator considered these words to be "good" words to try). If all else failed, the "Worm" tried going through the host system dictionary, /usr/dict/words, trying each word. The password selection guidelines above successfully guard against all three of these strategies, according to popular security handbooks.