Information Technology - The University of Oklahoma Health Sciences Center

WHY WE MUST USE STRONG PASSWORDS

Recent virus-borne password attacks have occurred against OU computer systems and your action is required to combat these attempts. These virus attacks attempt to gain access to computer accounts that have weak passwords.

Please follow the instructions below to create a strong (complex) password.

GUIDELINES

Passwords should be at least eight (8) characters long and not more than 14.

Passwords should contain a combination of letters, numbers, and special characters (:~!@#$%^&*()_+{}[]|<>).

Passwords are case-sensitive.

Passwords should not contain a dictionary word from any dictionary. That includes French, Spanish, medical, etc.

Each password should differ from the user's User-ID and any permutation of that User-ID.

New passwords should differ from the old by at least three characters.

Don't pick names or nicknames of people, pets, or places, or personal information that can be easily found out, such as your address, birthday, or hobbies.

Stay away from common keyboard sequences, such as gwerty1 or abc123.

Do not form a password by appending a digit to a word; this type of password is easily guessed.

Don't write your password down or store it on your computer. NO sticky notes on your monitor.

Keep your password different from any other password so your OUHSC information will still be protected even if your other passwords are stolen.

Don't use any of the example passwords shown here.

Don't share your password with anyone.

You are required to change your password every 180 days.

Risks

If your password is compromised someone else will have access to your email, personal information, etc. More importantly they have your identity.

Do you want someone else reading your email?

Do you want someone to use your User-ID and password to break into a financial institution?

I thought I used a hard to guess password, it was not a dictionary word, and I included numbers, but my password was cracked in 4 minutes.

How long will it take to decipher yours?

How can we produce a password that is secure?

Choosing a Secure a Password

Your password should be difficult for someone else to guess but easy for you to remember (and type!). The more mixed-up and random it is, the harder it is to crack.

Step 1: Choose a favorite quote, phrase, saying, song, habit, title, or make one up.

Step 2: Use the first letter or syllable from each word of the quote to create the first part of your password. Mix uppercase and lowercase letters any way you like, but keep in mind that you'll need to type the letters exactly the same way every time you use the password. If you choose iltpb@6:00 as your password, ILTPB@6:00 won't work. Check the "Caps Lock" indicator on your keyboard before typing your password; if the "Caps Lock" key has been pressed, your password might not be recognized.

Step 3: Then choose relevant special characters (: ~!@#$%^&*()_+{}[]|<> ) and numbers.

Step 4: Combine them to form a password of at least 8 characters but not more than 14.

Example 1
Use a quote: let the wise listen = ltwl
Add the quote reference: ltwl + @pr15 = ltwl@pr15

Example 2
Use a habit: i like to play Basketball at 6:00 = iltpB@6:00

Password complexity requirements

The password does not contain all or part of the user's account name. The password is at least eight characters long and not more than 14.
The password must contain characters from at least three of the following four categories:
- English uppercase characters (A - Z)
- English lowercase characters (a - z)
- Base 10 digits (0 - 9)
- Non-alphanumeric (For example: !, $, #, or %)

These complexity requirements are enforced upon password change or creation of new passwords.

More information about secure passwords can be found at http://www.microsoft.com/security/articles/password.asp

What to do now!!

Step 1: Create a secure password.

Step 2:

ON CAMPUS If you are connecting from ON CAMPUS:

If you are using Windows 2000 or XP, press the <Ctrl-Alt-Del> keys and choose "Change password"

If you are using Mac OS X, please use the off-campus method to change your campus password.

If you are using a UNIX/Linux system using the MS password change/set protocol, you can use 'kpasswd' to change the password for an account on Active Directory. (requires pam_ldap and nss_ldap modules from padl.com)

OFF CAMPUS If you are connecting from OFF CAMPUS:

Click here to Change Your Password

You will be asked for your User-ID
Old password
New password
Remember, passwords are case-sensitive.

Troubleshooting Password Change Problems

Choose a password that is different from the previous 6 passwords.
A password must be used a minimum of 5 days before it can be changed.
After 8 invalid logon attempts within a 15 minute period, the account will be locked for 30 minutes. The counter for bad password attempts is reset after 15 minutes; so, if you are unsuccessful after 7 attempts, wait 15 minutes before trying again. This setting helps prevent automated brute force password cracking attempts that continuously guess passwords.

NOTE: Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers do not count as failed logon attempts.

Please call the Service Desk at (405) 271-2203 for questions or help.