A password must consist of a combination of letters and numbers, and possibly also special characters such as punctuation marks. A password must contain between six and eight characters. Another password possibility is to think of a phrase which is well-known to you and combine the first letter from each word to form the password. You can randomly use upper case letters. This usually results in a combination of letters which is hard for someone else to guess, yet easy for you to remember. You can also create a pseudonym using alphabetic characters, numbers and special characters such as T0ys4Us. (Do not use this one!) With some creativity, you can create such a password that is easy for you to remember.

The inclusion of numbers or special characters decreases the likelihood that your password could be guessed by someone running a "dictionary program". (One method used to break into systems is to write a program which will read words from a dictionary and then try them as passwords for known computer login names.)

The password changing option through the Account Maintenance runs a very sophisticated screening program across all new passwords. It uses a dictionary of 16 million words and patterns taken from an actual password cracking program. The words and patterns in this dictionary come from many languages, technical dictionaries, dictionaries of fictional names/places, and many permutations of patterns of the above. Such words and patterns will be rejected. It is very strict!

BACKGROUND

The people that write computer operating systems have long realized that data security is a desirable part of any multi-user computing system. That is why most systems will not allow you access unless you give some type of password known to both you and the computer operating system. Operating systems employ varied schemes for keeping these passwords a secret, in some cases only storing an encrypted version of the password online. A great deal of the responsibility for security is also placed upon the shoulders of you, the computer user.

Each time you try to access any system, you must identify yourself (i.e., say who you are). You must also authenticate this identification (i.e., prove you are who you say you are). On the College of Engineering computers and IT services, you identify yourself with a login name and authenticate your identity with a password.

When you first create your College of Engineering account, you will either be asked to select a password or assigned an "initial" password which you are advised to change after a few months for security reasons.

KEEPING YOUR PASSWORD SECURE

Once you select and use a secure password, your login name will be totally secure only as long as that password is known only to you and the computing system. If you write down your password in a place where others might see it, you are jeopardizing the integrity of whatever information you have stored on your computer account.

In keeping your password secure, you should also follow these additional guidelines.

1. Do not give out your login name and password over the phone or via an online interactive or mail message.
2. Be suspicious if callers or other online users identify themselves as Computing Services personnel and demand your password over the phone or online.
3. Report any attempts to obtain passwords to: This e-mail address is being protected from spambots, you need JavaScript enabled to view it Reporting such an attempt to the system administrator will allow countermeasures to be taken against that attempt to compromise system security.
4. You may be asked to change your password periodically. The College of Engineering runs periodic attempts to crack the password database to find weak passwords before hackers do. If your password is cracked by one of our periodic runs, you will be sent email asking you to change your password. You should change this only at http://www.engr.ucsb.edu/eci. If you receive any notices asking you to enter your password at some other location, please notify us at This e-mail address is being protected from spambots, you need JavaScript enabled to view it -- these may be nefarious attempts to gather user passwords.

THE BOTTOM LINE ON PASSWORD SECURITY

In summary:

1. Choose passwords which will not be found in any dictionary. You actually will not have a choice in this as the password screening program will not allow it.
2. Make the password especially secure by including non-alphanumeric characters.
3. Try using a mnemonic to remember your password so that you do not have to write it down. Useful mnemonic devices are substituting digits for words like to (2) and for (4) and especially useful are punctuation marks like ( or & for "and". Thus a mnemonic like "Four score and seven years ago our Fathers" might be used to generate the password 4s&7yaoF (but do not use this one!)
4. Do not use a meaningful system command for a password; i.e. logoff is NOT a good choice for a password. The password screening process will disallow it in any case.