Passwords

What follows is advice on setting your password for use with your Demon dial-up account.

Why is my password important?
When do I need to change my password?
What passwords are accepted by the server?
How do I choose my Demon password?
Examples of bad passwords?
How do I choose my Demon password?
How do I change my password?
What if I lose or forget my password?

1. Why is my password important?

You are responsible for your account with Demon Internet. Treat your password to your Demon Internet account as you do the PIN code you use to access your bank account at cash points. Do not share your password with anyone else. Your password is personal and Demon Internet staff will never ask you for your password once it has been set.

2. When do I need to change my password?

Passwords are secret. Whenever you believe that someone has seen you type in your password or has guessed your password, you should change it. It is a good idea to change it once you have set up your account. Passwords at Demon Internet accounts do not expire, but it is a good idea to change it at regular intervals. Read on for instructions.

3. What passwords are accepted by the server?

The server places the following restrictions on passwords:

The password must consist of five or more characters.
The password must be no longer than eight characters. Longer passwords will be accepted, but only the first eight characters will be used.
The password must not consist solely of digits - there must be at least one non-numeric character.
The password may contain ASCII letters, digits and non-alphanumeric characters, such as "*" and "%".

If your password fails to meet these conditions it will be rejected as unsuitable. Remember that upper- and lower-case letters are treated as distinct characters. The passwords "aynilmd" and "Aynilmd" are not the same.

Note: these restrictions are not, by themselves, sufficient to guarantee that the password you choose is safe from attack: they prevent you from choosing a password that is ridiculously weak rather than one which is just ordinarily weak.

Note: there may be restrictions on the characters your telnet client and dialler can send, and the restrictions may differ between the two. It may not be obvious that this is happening, as the telnet client and/or dialler may silently discard characters they dislike, so it is possible that you could set a password with your telnet client that your dialler cannot send, or that the password you think you set isn't. These problems are particularly likely to occur with control-characters. The following restrictions are known to exist for certain popular software:

DOS KA9Q

The KA9Q dialler dislikes a "$" character in the password.

4. How Do I Choose My Demon Password?

If you are sure that nobody who should not do so can gain physical access to your machine then you can rely on your software's dialler storing the password and you don't have to worry about having to remember it. This means you can choose random letters and digits for your password which gives the strongest possible password.

However, having to enter the password manually each time means that it must be easy to remember (so you don't fall into the trap of writing it down) and yet strong enough to resist external attackers. In order to satisfy these two (somewhat conflicting) constraints, you should avoid passwords which are:

The word "password" or "secret"
Your host name and variants of it
Names of family, extended family or friends.
Numbers which you can easily remember: birth dates, National Insurance numbers, bank account numbers, car licence plates, phone numbers or PIN codes.
Words which can be found in dictionaries or atlases.
ACRONYMS, particularly those which are common on the Internet, such as RTFM.
A simple combination of words and numbers, which can be connected to your firm, hobby, or personal circumstances. These are all details which are usually easily found.
A sequence of characters, numbers and symbols which can easily be followed on the keyboard layout, when you type (such as passwords formed from adjacent keys or a small cluster of keys). This may be important if you wish to control your children's access to the Internet by only allowing them to access it with you present - children are observant.
Any systematic algorithm, which repeats itself soon.
Any string which is less than 6 characters.
Examples of passwords you have read or heard. For instance, it would be a very bad idea to use one of the examples from this document.

The types of password listed above are not recommended as they can either be guessed by a person with some knowledge of your personal details or found by a computer cracker program loaded with dictionaries or simple algorithms. Using these types of password is the equivalent of leaving your front door key under the welcome mat - the first place a burglar would look for it.

Other passwords to be avoided include those which are simple modifications of the types of password given above, such as:

Words spelled backwards, or slightly modified (haras, hsara).
Words with simple added numbers (Sarah5).
Simple words with numbers replacing characters in a predictable way (S2r2h)

Note: Parents who do not wish their children to have unsupervised access to the Internet should not underestimate the determination and ingenuity of even young children.

5. Examples of bad passwords

Examples of the type of insecure passwords that should never be used include:
alec7	it's based on the users name (& it's too short anyway)
gillian	girlfriends name (in a dictionary and easily guessed)
naillig	ditto, backwards
12345678	easy to guess number sequence (& people can watch you type it easily)
qwertyui	people can watch you type it easily
abcxyz	people can watch you type it easily
0ooooooo	people can watch you type it easily
Computer	predictable capitalisation doesn't make it safe
wombat6	appending some random number after a word from a dictionary...
cadeau78	even for French words...
mr.spock	it's in a sci-fi dictionary
zeolite	it's in a geological dictionary
Z30L1T3	...ditto...
tcp123	used in setup scripts
letmein	<let me in> easy to guess

These examples emphasise that ANY password derived from ANY dictionary word (or personal information), modified in ANY way, constitutes a password that can be guessed or found using a computerised crack program.

6. How do I choose my Demon password?

For a quick guide to choosing a password please see Names & Password Conventions

Although simple modifications of bad passwords are still bad passwords, a little extra complexity can produce a good password (but not in the case of your host name - you should never use any variant of your host name). Some possible word, such as "deintmon" (Demon Internet).

Make the length 6-8 characters

Ideally you should combine some of the above suggestions rather than rely on any single one of them.

Further advice on sensible passwords can be found at: http://www.sas.upenn.edu/Help/Server/account-security.html or by reading the FAQ comp.security.unix newsgroup.

7. How do I change my Demon password?

It is a good policy to change your password on a regular basis. To do so go through the following steps:

Choose a new password.
Log in to Demon to make the changes on-line. This is done as follows:
1. Use your telnet client to telnet to password.demon.co.uk on the default telnet port (23). Or you can give your WWW browser the following URL:
  - telnet://password.demon.co.uk/
2. When prompted to login give your fully-qualified domain name, i.e., hostname.demon.co.uk.
3. When prompted for your password, give your current password. Turnpike users please note that this is the password you just used to login to Demon and is not your "sign on" password for Turnpike. This will not be echoed to your screen, so you should be careful typing it - if you get it wrong your password will not be changed.
4. You will then be prompted for your new password (i.e., the one you wish to use in future). This will not be echoed to your screen, so you should be careful typing it.
5. You will then be prompted to type your new password again. This is to ensure that you didn't make a mistake the first time. Again, this will not be echoed to your screen. If the two versions of the new password do not match then your password will not be changed.
Change your password in your dial-up script or configuration program so that it sends your new password rather than your old one. For popular connection software, this is achieved as follows:
Turnpike:

Run the Turnpike Connect program and use the "Service Access" option from the "Configure" menu. Enter your new password in the "Login password" field in the window that is displayed, then click "OK".

KA9Q with DIS.EXE front end:

Select "D Configure Net", "A Configure NET.EXE and DIALER" and then press "F5". Your password is near the bottom of the screen. Please note that KA9Q dislikes a "$" character in the password.

MacPPP:

Select MacPPP in the Control Panel and alter the login script. If you are using InterSlip, go to setup and double click on the script to be changed. Don't forget to alter all of your scripts if you use more than one PoP.
Allow about 20 minutes for the password information to propagate before trying to use your new password. There is a period of around 20 minutes before all of our RADIUS database servers are informed of your change of password. During that interval you may have difficulties connecting to Demon - if your login is handled by a RADIUS server which hasn't yet been updated your new password will not work; if your login is handled by a RADIUS server which has been updated then your old password will not work.

The password server password.demon.co.uk is currently for use by UK subscribers (those whose Internet address ends with .demon.co.uk) only. Similarly, Demon password servers in other countries may be used only by subscribers with accounts in those countries. When abroad, UK subscribers dialling into Demon PoPs in other countries must use password.demon.co.uk if they wish to change their password.

8. What if I lose or forget my password?

Your password is stored on Demon's RADIUS servers in what is effectively an irreversibly-encrypted form (actually a cryptographically-strong one-way hash). When you connect to Demon and give your password it is encrypted and checked against the encrypted copy on a RADIUS server. If you lose or forget your password there is no way that Demon can reverse the encryption of the stored password and tell you what the original was.

Support can, if necessary, set a new password for you but you will need to prove to them that you are who you claim to be, as follows:

cite your security phrase (contact support to set a security phrase)
give partial credit card details with which the account was set up
answer specific personal queries regarding your account

Accurate at the time of writing (08/1996) E&OE