The UF has a "strong" password standard
that requires a minimum number of characters,
3 of the 4 kinds of characters on
standard micro keyboards, scheduled changes, no words
that appear in the dictionary, no reuse, and so
on. They also vary by authorization levels
as described in (2) directly below. All users of UF IT systems should
be familiar with the standards and
specifications at the following UF IT sites:
(1) www.it.ufl.edu/policies/information-security-and-compliance/authentication-management-policy
(2) www.it.ufl.edu/policies/information-security-and-compliance/authentication-management-standard
(3) www.it.ufl.edu/policies/information-security-and-compliance/password-complexity-standard
The password complexity standard set July 15, 2013 includes 33 special characters:
Allowable Special Characters (as of 15JUL13), Numbered Characters, & Alphas:
~ ! @ # $ % ^ & * ( ) _ + | - = \ { } [ ] : " ; ' < > ? , . /
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
- - - - - - - - - - - - - - - - -
a b c d e f g h i j k l m n o p q r s t u v w x y z
z y x w v u t s r q p o n m l k j i h g f e d c b a
The space bar is also allowed as a special character as noted in the (3) above.
Excluded is the left-slanting accent key directly above the
Tab key. The prior UF set included 17; they have a dash "-" under their corresponding
number above.
The standard is very explicit on what cannot be
the case, but does not suggest what can be the
case. It is very similar to other published
standards in this respect.
You may wish to use the following mode for setting
a password you can easily remember. It has
been in use and recommended for years: the familiar
backward mode.
- Pick a familiar, but not personal, name for a
person, item, pet, etc., you can easily remember
e.g., Mike your first school roommate, a cedar tree in
a park, Rex a neighbor's dog.
- Decide what you want to call the type or thing,
e.g, roomie, plant, canine.
- Establish the age designation of it, e.g., Mike
was born in 1946 = 46, the tree was first seen in
2001 = 01, Rex is 5 years old = 05.
- Establish the number of times alphabetically
your current familiar backward set has been used,
e.g., the first is z, the second is y, the third
is x. etc., backward-corresponding alphabet letters
in the two Alpha lines above.
- Employ the backward rule for the password, i.e.,
the name backward, use-times
alpha designation, the type backward, and the age
designation backward. Start with a capital.
Ekimzeimoor64 |
Radecztnalp10 |
Xerzeninac59 |
- Add one (or more) acceptable special character(s) so the
total number of all characters is 9 or more.
Examples:
- Ekimzeimoor!64 (Ekim = Mike, z, iemoor = roomie, !, 64 = 46)
- Radecztnalp10#
- *Xereninacz59
Place the age designation special character in any position you
prefer so you can
easily remember your password. Note that the left-slant
accent mark cannot be used. The accepted special
characters could change in the future.
The age designation could also be numbers from 01 thru 99,
for example, and placed in any location that is easy for you
to remember.
- The above 3 examples meet the UF standards
above. Note that Rex has the type canine
not dog because dog backward is a word in the
dictionary. Do NOT use any example used here.
The standard in (3) includes policy levels (P1-P5).
The "Minimum entropy bits" requirement, 31.5 at most, can
be measured by a "password entropy bits calculator" found
via a search engine. The one at
blog.shay.co/password-entropy
for entrophy bits gives the following results:
Ekimzeimoor!64 88.25 |
Radecztnalp10# 89.01 |
*Xereninacz59 82.19 |
You can enter the blog.shay.co link above for password entropy
and get scores for your current passwords.
- The above mode assumes a minimum of one character
must be changed when the time comes for a required
change. The above examples would be as follows
after the first change. As of this version, one
change is necessary and sufficient to change a password
that meets the UF standards.
Ekimyeimoor#64 |
Radecytnalp10$ |
(Xereninacy59 |
- You will find it easy to create and remember a
name-type-number, type-name-number, name-number-type,
and so on sequence your can easily remember.
And, easy to enter the items backwards on your keyboard
after 5 or 6 entries, though you will likely find it
clumsy to type it initially. Again, use familiar
not personal sets to decrease the probability your
password can be hacked by someone that knows personal
information about you such as your spouse's name, a
child's name or your various addresses.
- Do NOT write down your password. A purpose
of this mode is to eliminate the need to do so.
Writing down passwords is a very common, albeit, bad,
security practice. A Google search 05NOV13 on
the exact word string, "have written down their password", gave
a link to passwordresearch.com reporting a number of bad practices
including (a) 64 percent of end users report writing down their
password, (b) 70 percent do not use unique passwords for
each site, and (C) 33 percent shared their password in the
last month (http://passwordresearch.com/stats/statindex.html).
-
Do NOT tell anyone you are employing this modality.
Hackers' work is made easier with knowledge of patterns or
modes used to create passwords. There are a
number of free password generators available on the Web.
A Google search on the word string, "free password
generator", gave 1.12 million(!) sites.
- You can use a small, easy-to-use and free utility to store userIDs,
passwords, hints, and site URL's on PC's: it encrypts the user's file and requires
an encripted password to open it. You can get it here:
plaza.ufl.edu/dicke/cnso/pswdprom.zip. Created in 1999, it was updated
in 2000 and works in Win XP, 7, and 8.
After unzipping pswdprom.zip's files into a subdirectory, run
passprom.exe. The first time you do so, you will
be prompted to enter the password you will use to enter it.
That first execution will also build an encrypted file named
ppinfo.dat: it will contain your selections for each
userID, password, and related information for each site.
Create a desktop short cut for passprom.exe for easy, quick access.
When opened, a list of the named sites is shown. Click on
one to get a window of that site's entries;
you can click on the icon to the right of the URL
entered for that userID and password to open the URL site.
Then, the userID and password can be individually copied
and pasted into the respective fields of the opened site.
An updated copy of ppinfo.dat can be kept on all your micros so you have uniform
userID/password security.
- On 9/10/05 Dilbert gave the world a humorous view of how many consider
very strict password policies. The boss known by his pointy hair finished
with, "... and starting today, all passwords must contain letters, numbers,
doodles, sign language and squirrel noises."
Last Update 05nov13 URL: http://plaza.ufl.edu/dicke/cnso/passwords.htm