4.11.5.0

Password creation

Why do you have to create a secure password?

In addition to you user name one needs a password in order to use IT resources of the science services in Göttingen. While you user name is probably known to several people you password needs to stay secret to prevent a third party to access resources in you name. You password together with you user name enables computer systems to positively identify you. If an authorized party gets to know your password it has access to your files and can conduct illegal activities over the network in you name.

This is possible due to the decentralized nature of IT services accessible over the Internet. Additionally you user name and password may be the target of an attack. Therefore your password must be as secure as possible against attacks like systematically testing all character combinations (“brute force”). Often an attacker is not even required to try all combinations. A dictionary attack is used instead to reduce search time in case the password only consists of typical character combinations (“1234”, “qwerty” or “4711”). For this attackers may use personal information about you, gathered for example from public Internet sites, like your date of birth, name of pets etc.

Please keep in mind that attackers may also acquire these information by deception (“social engineering”). Therefore you should never provide information about your password to a third party (including people claiming to be IT staff or administrators).


What requirements must a secure password meet?

In order to keep a password secret by protecting it against exploits described above it should contain:
  • at least eight characters
  • at least a special character (e.g. !?“$%&/\()=;@,.-_<>#*+~ or whitespace characters)
  • contains upper and lower characters
  • contains numeric characters


How does one select a secure password that can be easily remembered?

The required complexity leads to complex passwords that are hard to remember compared to an easy one like “max” or “max2007”. Through several methods it is possible to generate passwords that are not based on single words and have a great variety and security.

Passwords are thus often created based “memory sentences”, for example:
“my user account in Göttingen I use since 2007!”.

By abbreviating words to their first character and last digits of the year the resulting password looks like this:

muaiGIus07!

A variation with special characters for “-in Göttingen-” would result in the password:

mua-iG-us07!

Another variation could be to include the“ ö” from “Göttingen” but replace it by “o”:

mua-iGo-us07!

Additionally some characters may be replaced by similarly looking numbers, e.g.:

mua-1G0-us07!

A further method is to enlarge passwords with sentences. In general a few additional characters increase the security of a password more than using additional special characters. For example a fictional email address would include a lot of characters and be easy and fast to type:

J.Doe@deamspace.de or http://dreamspace.de/J.Doe

The memory sentence from the beginning could be simplified with a long sentence:

Account: got it since 2007

Or by writing a few words in the full:

A_GotItSince07

With a little bit of creativity the complexity of a password can be easily increased. One way is to create fantasy words:

ThroughCryption_2007 or ThrCryp_2007

Numbers and special characters can be combined to fictitious measurements, e.g. an account in Göttingen costing 200$ or be available 150%:

1Acc:_200$ oder Acct_geht_150% oder 64kg=1Acct

Attetion:The examples above are of course no longer suitable with its publication on this page. They are therefore excluded for the password change.


Should passwords be saved or noted down?

In general passwords are not only used for IT resources around science services in Göttingen. One also has passwords for private Internet access. Because of he user portal of the GWDG it is only necessary to remember and maintain a single password which gets distributed to all systems. However you will have other passwords as well, for web shops and the like. Storing passwords at an easily accessible place should be avoided (at your desk or a post-it on the screen). Storing passwords within an application can be problematic (web browser or mail client). One should be aware that such passwords can be accessed by a third party from the computer memory. Despite that you can not generate a different password for each application or generate passwords systematically.k

The compromise should that password characteristics should be matched to their likelihood of being compromised, e.g. you could use the same password for all web shops where you order books, a different one for you email etc. The remaining passwords should be generated complex according to the rules mentioned earlier. In order to maintain secure passwords one can use especial programs that store passwords encrypted. Such a program must be trusted to maintain the passwords securely. Examples are:

Identity Management