You and Your Password
When you received your account information, you were given a generated password that probably looked a lot like line noise and seemed about as memorable. You should change your password as soon as you log in for the first time to something you can remember more easily—that way you won't have to write it down where someone else can find and use it. But you should still try to come up with a password that's as secure as possible.
Changing Your Password
To change your password, open a terminal window and type
yppasswd. The program will ask
you for your current password, then prompt you to enter a new password
twice (to make sure that you don't mistype it).
General Password Policies
Cracked accounts are a risk for everyone. While the worst someone might be able to do to you directly is send out some embarassing e-mail messages, they could also use your account to launch attacks on other systems at Mudd, the other Claremont colleges, and companies and institutions around the world.
Thus choosing a good password and keeping it secure is very important.
Keep the following in mind:
- Passwords are private
- Do not share your password with anyone—roommates, friends, family members, research partners, pets, and so
If someone needs access to the math department computers, they should request their own account. If they need a file in your account, e-mail it to them, or copy it to their computer some other way.
We (the systems-administration staff) will never, ever ask you for your password. If someone does ask you for your password, please report them to us so we can check them out.
- Change your password regularly
- The longer you use a password, the more likely it is that someone may have figured it out. So change your password every so often—every few months, or every couple of weeks if you're feeling extra paranoid.
- Beware of off-campus use
- If you log into your account from an off-campus site (e.g., when you're visiting a friend at their school or hanging out in an Internet café), you should change your password when you get back to Mudd.
- While you'll only be able to log in via
ssh, your password could be sniffed if you use nonauthenticated POP. There's also always the possibility of someone shoulder surfing your password as you type it.
- Change your password if you type it “in the clear”
- If you accidentally type your password “in the clear” so that it
can be read (at a
login:prompt, for example), you should change your password immediately.
Choosing Good Passwords
Be sure to choose a password that you can remember, but that will be hard for anyone else to figure out. To help you choose a good password, follow these guidelines:
- Avoid dictionary words. Especially avoid anything incredibly obvious, such as “password” or “secret”.
- Do not use proper names. Don't use the names of people you know or characters from books. Even if you think no one but you has ever read Iain Banks's Culture novels, you're wrong, and you can bet that Diziet Sma, Perosteck Balveda, and Cheradenine Zakalwe are all in some cracker's dictionary.
- Don't use permutations of system usernames. In other words, “0per8oR”, “R00t”, and “dAem0N” are all bad choices.
- Do use different cases, numbers, punctuation, and symbols in your password. Try to use at least one uppercase letter, one lowercase letter, and one number, punctuation or other symbol in your password. In other words, while “secret” is really bad, “5Ecr@t!” is marginally better. (But don't forget the rule about using obvious passwords!)
- Don't use simple keyboard patterns. Avoid obvious patters such as “qwerty”, “qazwsx”, “`12345”, “mnbvc” and so forth.
Your friendly systems administration staff will occasionally run password-cracking programs in an attempt to enforce the use of secure passwords. If your password is cracked during one of these runs, you will receive an e-mail message asking you to change your password to something more secure. If we find that you haven't changed your password the next time the cracking program is run, your account will be disabled. You will have to request a password reset from the systems adminstrator, and will probably receive a stern lecture about the dangers of easily cracked passwords.
While you may be concerned about the security of the system, you are not allowed to run a password-cracking program yourself. Ever.
If you forget your password, you can request a password reset from the systems-administration staff. There are two basic approaches available:
- Stop by the systems administrator's office with photo ID. She will let you change your password to anything you like.
- Send e-mail to
firstname.lastname@example.org ask to have your password reset. The systems administrator will reset your password to something gnarly. You must then stop by her office with photo ID to pick up the reset password.
Note that in both cases you will have to stop by the systems administrator's office with photo ID. Passwords will not be sent by e-mail, given out by telephone, or sent through interoffice mail or the U.S. Postal System.
The sole exception is if you have a GPG key that has been signed by the systems administrator so that strong encryption can be used to protect your password. Note that getting your GPG key signed by the systems administrator will require you to come by her office with government-issued photo ID (passports are ideal, driver's licenses less so). By now, I imagine you're getting the picture. (*rim shot*)