Statewide Systems Password Information
Passwords are an important tool to help us protect the Statewide Systems from attack. Much of the data in the systems is private and confidential data. In all cases it is important to keep this private and confidential data from everyone who doesn't have a business need to see it. Passwords are one important tool we have to help us meet our responsibilities in this area.
Types of Characters: There are four different types of characters used in making passwords. Use of as many different combinations of these character types greatly increases the resources needed to crack a password.
- Upper case letters (A, B, C, etc.),
- Lower case letters (a, b, c, etc.),
- Arabic numbers (1, 2, 3, etc.), and
- Special Characters = ~ # $ % ^ & * ( ) - + ` : ; , ?
Passwords are often the weakest link in a computer security scheme. Strong passwords are important because password cracking tools continue to improve and the computers used to crack passwords are more powerful. Passwords that once took weeks to break can now be broken in hours. Password cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and automation that tries every possible combination of characters. Given enough time, the automated method can crack any password. However, it still can take months to crack a strong password. That is why we require the use of strong passwords that include at least three of the four character types.
An Easily Broken Password is one that:
Can be easily tied back to the account owner such as:
- user name
- social security number
- relative's names
- birth date
Also, names of places (cities or countries), all numbers, all the same letter or number, keyboard patterns (qwerty, jkl;, etc.) are insecure and easily broken.
A Strong Password is one that:
- is at least eight characters in length,
- is not a name or dictionary word, and
- contains at least three of the four types of characters identified above.
Creating a Strong Password
Combine short, unrelated words with numbers or special characters. For example: eAt42peN Substitute numbers or special characters for letters. (But do not just substitute) For example: livefish - is a bad password. L1veF1sh is better and satisfies the rules, but setting a pattern of 1st letter capitalized, and i's substituted by 1's can be guessed. l!v3f1Sh - is far better, the capitalization and substitution of characters is not predictable.
Remembering Strong Passwords
You may have passwords on many different systems such as your agency's network, SWIFT, SEMA4, Employee Self Service, the EPM Data warehouse, IA Data Warehouse and Budget Information Systems (BIS). Many users will choose to synchronize their password across the various systems. Even though the different systems have different requirements as listed below, it is possible to find a common denominator across all systems so that a strong password can be synchronized. For example, even if your agency's network allows users to keep their passwords for 90 days, the network probably allows more frequent changes so that users of both the network and SEMA4 can change their passwords to conform with the thirty day requirement for SEMA4. Similarly, SWIFT or SEMA4 users can use a combination of Uppercase letters, Numbers and Lowercase letters to satisfy the more stringent character type requirements of other systems. SEMA4 passwords are not case sensitive, but they do accept both uppercase and lowercase letters.
Who can I tell my password to?
- Don't tell your password to anyone!
- Be wary of anyone who requests your password for any reason.
- If you suspect that someone knows your password, change it immediately.
- Don't write down your password. There are several very good, open source (free) tools that allow you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords available on the web. Of course this all depends on your dept. policies for downloading outside software.