Password Policy- Acceptable Use
The Wellesley College Acceptable Use Policy applies equally to machines maintained by the Department of Computer Science. Please make sure you have read and understand that policy. If you have any questions, please contact us at CS-SysAdmin@wellesley.edu.
Also, you should know that your password protects not just your own account, but the machine as a whole. Therefore, even though you might not care about having a good password (because your account doesn't contain anything you care about), we care. If your account is broken into by some nefarious hacker, the hacker can use it to attack other accounts and machines. Think of it like having a key to your dorm: if you leave the door unlocked, someone can get in to attack your friends and use your room as a base of operations.
We will be taking steps to protect the security of our computers, including testing passwords. If we find that your password is weak, we will ask you to change it to a better one. If you don't, we will have to lock your account. We do this not to be nasty, but because we have a responsibility to protect all the users on the machine. If your account is locked due to a bad password, you will receive an email telling you of the problem and directing you as to how to change your password. Until you resolve the problem, your account will be unusable. If this prevents you from finishing classwork, you'll have to talk to your professor about the consequences.
Basic Password Advice
Most people know the general rules for making a good password; the trouble is that good passwords are usually more work than bad ones, and we all get lazy. Here is some advice on choosing a good password:
- Use a mixture of upper and lower case letters, digits, and special characters.
- Longer passwords are more secure than short ones.
- Don't use information associated with you that someone could guess.
- Don't write it down, but don't forget it. We don't have it, so we can't tell you what it is. If you forget (we're all human), you'll just have to change it.
- Use different passwords for different systems and purposes. That way, if one password is broken, the others will be okay.
Changing your password
If you have an account that you only use by SCP (such as for CS110 or CS111), and you need to change your password, you can ask the system administrator to change it for you.
If you have a "shell" account, meaning that you can login directly to a Linux machine in the lab, you can change your password by using the "yppasswd" command. It will ask you for your old password and then you new one, twice. (It asks twice so that an accidental typo doesn't lock you out of your account!) The command will not echo your password, not even with asterisks or anything. Here's an example:
[cs307@puma cs307] yppasswd
Changing NIS account information for cs307 on puma.
Please enter old password:
Changing NIS password for cs307 on puma.
Please enter new password:
Please retype new password:
The NIS password has been changed on puma.
Note: if you find that you have forgotten your password, you can ask the system administrator to change it for you. Unfortunately, no one can tell you what your old password was, because that information is not retained by anyone. Only you (should) know your password.
Additional Password Advice
The following password advice is quoted from the "man" (user manual) pages on a Linux machine. It's good advice that has stood the test of time. Your password not only protects you, it protects the machine as a whole, so it is an important "civic virtue" that you choose a good password.
Remember the following two principles:
Protect your password.
Don't write down your password -- memorize it. In particular, don't write it down and leave it anywhere, and don't place it in an unencrypted file! Use unrelated passwords for systems controlled by different organizations. Don't give or share your password, in particular to someone claiming to be from computer support or a vendor. Don't let anyone watch you enter your password. Don't enter your password to a computer you don't trust or if things seem odd. Use the password for a limited time and change it periodically.
Choose a hard-to-guess password.
The system will try to prevent you from choosing a really bad password, but it isn't foolproof; create your password wisely.
Don't use something you'd find in a dictionary (in any language or jargon). Don't use a name (including that of a spouse, parent, child, pet, fantasy character, famous person, and location) or any variation of your personal or account name. Don't use accessible information about you (such as your phone number, license plate, or social security number) or your environment. Don't use a birthday or a simple pattern (such as backwards, followed by a digit, or preceded by a digit.
Instead, use a mixture of upper and lower case letters, as well as digits or punctuation. When choosing a new password, make sure it's unrelated to any previous password. Use long passwords (say 8 characters long). You might use a word pair with punctuation inserted, a passphrase (an understandable sequence of words), or the first letter of each word in a passphrase.
These principles are partially enforced by the system, but only partly so. Vigilance on your part will make the system much more secure.
You should remember your password (try to memorize it). If you do forget, no one can tell you what it is, because nothing on the system records that information. However, the system administrators can reset your password, should you happen to forget it.