Skip navigation

STANFORD UNIVERSITY

INFORMATION TECHNOLOGY SERVICES

SUNet ID Passwords

Introduction

One of the weakest links in Stanford's computer security efforts is your password. Despite the University's efforts to keep hackers out of your personal files and away from Stanford-only resources (e.g., email, web files, licensed software), easily-guessed passwords are still a big problem.

Stanford implements a strict password checking system for SUNet IDs to combat this problem. Each time you open a new account or change (reset) your password, the system will prevent you from setting a password that is easily cracked.

In addition, Stanford now recommends "pass phrases" instead of passwords. Pass phrases are longer, but easier to remember than complex passwords, and if well-chosen can provide better protection against hackers.

Rules

Your password or pass phrase must conform to the following rules:

  • It must be 7-40 characters long. It is recommended that passwords be a minimum of nine characters.
  • It must not be a word that appears in any dictionary of English or non-English words or names.
  • It must be composed only of characters in the Roman alphabet or symbols on the U.S. keyboard.
    Note: no Chinese, Korean, Cyrillic, or Japanese characters are allowed.

Creating a pass phrase

A pass phrase is basically just a sentence, including spaces, that you employ instead of a single pass "word." Pass phrases should be at least 15 to 25 characters in length (spaces count as characters), but no less. Longer is better because, though pass phrases look simple, the increased length provides so many possible permutations that a standard password-cracking program will not be effective. It is always a good thing to disguise that simplicity by throwing in elements of weirdness, nonsense, or randomness. Here, for example, are a couple pass phrase candidates:

pizza with crispy spaniels

mangled persimmon therapy

Punctuate and capitalize your phrase:

Pizza with crispy Spaniels!

mangled Persimmon Therapy?

Toss in a few numbers or symbols from the top row of the keyboard, plus some deliberately misspelled words, and you'll create an almost unguessable key to your account:

Pizza w/ 6 krispy Spaniels!

mangl3d Persimmon Th3rapy?

Pass phrase hints

  • If your pass phrase is based on a well-known slogan, expression, song lyric, or quotation, be sure to customize it with misspellings, bad grammar, invented words, deliberate typos, or oddly placed keyboard symbols. You can learn more ways to mix up words using the tactics outlined in the Creating better passwords section, below.
  • Your pass phrase should never contain information that would identify you personally, such as Social Security numbers, telephone numbers, credit card numbers, birth dates, or your SUNet ID. Instead, rely on a phrase that has enough meaning to you that you'll remember it easily--then mix it up.
  • Try to avoid phrases composed of common, smaller words. For example, "My dog has long toes," though long enough to be a decent pass phrase, contains so many small words that a password cracking program might have a better chance of deciphering it.

Note: You can't adopt any of the sample pass phrases shown above as your own SUNet ID pass phrase. They have, for obvious security reasons, been added to the password system's list of ineligible pass phrases, and won't work if you try them.

Creating better passwords

  • Longer passwords are better passwords. The more characters a password cracking program has to crunch, the harder it is to guess.
  • Remove all the vowels from a short phrase in order to create a "word."
    Example: llctsrgry ("All cats are gray")
  • Use an acronym: choose the first or second letter of your favorite quotation.
    Example: itsotfitd ("It's the size of the fight in the dog")
  • Mix letters and non-letters in your passwords. (Non-letters include numbers and all punctuation characters on the keyboard.)
  • Transform a phrase by using numbers or punctuation.
    Examples: Idh82go (I'd hate to go), UR1drful (you are wonderful).
  • Avoid choosing a password that spells a word. But, if you must, then:
    • Introduce "silent" characters into the word. Example: va7ni9lla
    • Deliberately misspell the word or phrase. Example: choklutt
    • Choose a word that is not composed of smaller words.
  • Add random capitalization to your passwords. Capitalize any but the first letter.
    Example: eIeIoH!, o.U.Kid
  • Change your password at least once every six months. You can make three or four passwords if you like, then switch them throughout the year.

Note: You can't adopt any of the sample passwords shown above (choklutt, va7ni9lla, etc.) as your own SUNet ID password. They have, for obvious security reasons, been added to the password system's list of ineligible passwords, and won't work if you try them.

How to Change or Reset your Password

Stanford's computing infrastructure offers different methods for changing your password. Certain methods may work better for you depending on how long your password is, what kind of computer you use, and other factors, but the password changing option at StanfordYou is what the University recommends and most people prefer.

  • To change your password, use the Stanford.You page:
    1. Point your browser at http://stanfordyou.stanford.edu/
    2. If you get a "SUNet ID and Password Required" page:
      • Click on the "Authenticate at weblogin.stanford.edu" button.
      • Enter your SUNet ID and current password; click on "Continue"
      • Click on the "Continue to the link you requested" link.
      • If you find that you can't log in, use one of the other methods shown on this list.
    3. Go to the "your SUNet ID and Email account settings" column.
    4. Click on your SUNet ID.
    5. Click the change link in the Password for SUNet ID section.
    6. Scroll to the "Change Your SUNet ID password" box.
    7. Type your current SUNet ID password in the first field.
    8. Type your new password twice (to protect against accidental typing errors) in the two fields provided.
    9. Click the Save changes button at the bottom of the form.

There is a Video Helplet available that demonstrates how to change your SUNet ID password.

If you have forgotten your SUNet ID password, you can reset it. This is not the same as changing your password (above). This procedure is for when you have a SUNet ID, but you don't remember your password. You will need your SUNet ID, University ID number, Social Security number, and the answer to your "personal fact" question.

  • To reset your password, use the SUNet ID page :
    1. Point your browser at http://sunetid.stanford.edu/
    2. Click on the "Check status/Reset password" link.
    3. Enter your SUNet ID and click "Continue."
    4. Click the "Reset your password" link.
    5. Fill in the identifying information. Then click "Continue."
    6. Type your new password twice (to protect against accidental typing errors) in the two fields provided.
    7. If you haven't done so already, select a "personal fact" prompt from the pull down menu, then type the answer in the field provided.
    8. Click "Continue."
    9. When you reach the "Done" page, remember to quit your browser.

There is a Video Helplet available that demonstrates how to reset your SUNet ID password.

  • To change your password using the command line:
    1. Log on to any Unix workstation.
    2. After logging on, type "passwd" (without quotes) at the system prompt.
    3. Enter your old (current) password when prompted.
    4. Enter your new (proposed) password when prompted.

Note that Eudora's password changing feature does not work for SUNet ID passwords.

What the System Looks For

Dictionary Words
The password-checking system screens all passwords against its own large dictionary of 2.7 million English and non-English common words. The words in most major languages are represented, spelled forward and backward. This dictionary is regularly updated to cover all words peculiar to the University community (such as "stanford"). Any words found in this dictionary are rejected as passwords.

Random Suffixes and Prefixes
Many people attempt to disguise a dictionary word by adding random characters at the beginning or end of the word. The system automatically screens for this technique. For example, the passwords below would not be allowed:

stanfordXX

stanfordX

Xstanford

XXstanford

XXstanfordXX

(No matter what X or XX is.)

Non-Letters As Letters
Many people try to use certain non-letters as letters within their passwords. The system automatically translates all of the following non-letters into letters before looking up words in its dictionary:

$ = s     4 = h     2 = a     3 = e     0 = o     1 = l     1 = i

Passwords like $tanford would therefore be rejected.

Capitalization
SUNet ID passwords are case-sensitive: uppercase and lowercase letters are considered to be separate letters (except at the beginning of a word). Capitalizing random letters in a dictionary word (caRpoRTS) will not, however, fool the screening program. The point is to capitalize letters in a non-word password, in order to provide another layer of complexity against other password-cracking programs.

Obvious Tricks
The system automatically screens out passwords set in the following manner:

  • Passwords based on a dictionary word spelled backward (drofnats).
  • Passwords based on two dictionary words in a row (dogdog).
  • Passwords based on the person's login name.
  • Passwords that are all white space.
  • Passwords that contain control characters.
  • Passwords that are all numbers.
  • Passwords followed and/or preceded by 1 or 2 characters (9cheval, cheval9, 99cheval, cheval99, 99cheval99 etc.)
  • Passwords with several repeating characters (aaaaaaaa or aaaabbbb or abababab).
  • Passwords that do not have more than four characters that differ from the previous character by one (1234abcd).
  • Passwords with license plate patterns (daaaddd).
  • Passwords with social security patterns (dddssdddd).
  • Passwords with phone number patterns (dddsdddd or dddsdddsdddd).
Last modified Monday, 11-Dec-2006 05:32:02 PM

Stanford University Home Page