Choosing a Good Password

Note: much of this is now outdated advice. For example, 7-8 characters are not nearly enough. It could even be argued that passwords are a broken system. If you don't have the luxury of using something else, you'd be better off choosing a passphrase.

Many of us work with sensitive and/or confidential information that is protected by little more than a username and password. It is essential that you choose good, secure passwords. However, it may not be obvious to you what constitutes a secure password. These are some tips to help you choose a good password.

• Executive summary
• Why worry?
• Poor passwords
• Good passwords
• How to choose a good password

If you read nothing else, read this.

Passwords should be:

• at least 7-8 characters long — longer is better
• composed of three of these character classes:
  • lower-case letters: abcd...
  • upper-case letters: ABCD...
  • numeric: 1234...
  • non-alphanumeric: !@#$<,"...

If your password is so complex that you need to write it down, choose another one.

For details on how to choose a secure password, read this. For a more detailed discussion of why you should be concerned, read on...

Why worry about passwords?

A significant percentage of computer break-ins can be traced to a poorly chosen password. Passwords are therefore among the most crucial — and most often exploited — aspects of computer security. One bad password can potentially compromise an entire system's security. If a user's password is discovered, an attacker can lurk around for months posing as that user and probing other security weaknesses at leisure.

If you work with confidential information, then you need to protect the confidentiality of that information with a solid, well-chosen password. Using a poor password risks exposing confidential data.

What's a poor password?

An easily cracked password has one or more of the following characteristics. Do not use any of the following in your password:

• a password that you have shared with someone else. Never tell anyone your password! No exceptions. System administrators do not need your password; they can access your account without it. If someone asks for your password, assume it's an attempt to break into a computer — report this to your system administrator immediately;
• a dictionary word — if you can find it in a dictionary of any language, don't use it. Attackers trying to break into a system use computer programs that sniff out poor passwords. One of the first things that these programs do is try dictionary words — and they have access to dictionaries for all sorts of languages, so don't think you're safe by using German, Akkadian, or Farsi;
• your name or the name of your spouse, child, pet, boss or anyone. Do not use names in any form;
• your computer system username or the username of anyone on the system;
• anything that can be found out about you — the street or city where you live, your birthday, license plate number, your social security number, your phone number, the first line of your favorite song, your favorite quotation, etc.;
• anyone's birthday;
• movie or song titles;
• password composed of all digits or all letters;
• dictionary words in which the letter "l" has been replaced with the number "1", or "E" with "3" (e.g. e1ephant or 3l3phant);
• a word to which a single digit has been appended or prepended (e.g. bookworm5 or 5bookworm);
• the hostname of your computer;
• clever-seeming "magic words" from computer games (e.g. xyzzy);
• simple keyboard patterns like qwerty;
• any of the passwords that are used as examples on this page or anywhere else;
• any of the above spelled backwards;
• passwords that are written down on a note kept under your keyboard or in your desk, or are kept in a file on your computer (including email);
• a password that has never been changed or has not been changed in several months;
• a password that you have used before.

What's a good password?

Good passwords:

• must be at least 7 or 8 characters long — longer is better;
• have both uppercase and lowercase letters;
• also have digits and/or punctuation (this includes !@#$%^&*()_-+=[]{}:;'"\|<>,.?/, although your system may restrict some of these characters);
• blank spaces and control characters may be allowed, but check with your system administrator first — they might cause problems;
• must not appear systematic (e.g. abc123);
• are easy to remember, so they don't need to be written down;
• are only used on one system;
• are never shared with anyone;
• are changed frequently (at least every 90 days, preferably more often).

How do I choose a good password?

Although the above restrictions may seem intimidating, choosing a password can be easy.

1. You could do something simple like picking two words, splitting them into non-dictionary words, and adding a number and other characters to the middle:

   "wonderful morning" becomes "Wo58*Ng" (note that at least one letter is capitalized).

2. Another method is to use a sentence like:

   I bought 3 sandwiches for lunch today, George

   and turn it into a password such as:

   Ib3s4l2d,G

   using the first letter of each word, substituting numbers for words when possible (2d = today). This looks like a gobbledegook password — which is good, because it's hard to crack.

3. Another good system is keyboard patterns — type out a pattern on your keyboard (being sure to use numbers and the shift key occasionally). Be careful not to use simple patterns like qwerty!
4. If you have access to more than one system, you should use a different password on each one. Do not use your login password as the password on any other system. This might seem difficult, but you might simply modify a base password on each system you access.

   For example, on a computer called isis, the base Ib3s4l2d,G could be modified to Ib3s4l2d,Gi, while on a computer called metro1 the password could be changed to Ib3s4l2d,Gm.

   Obviously, because this method has now been published, you should choose another system for varying your passwords.

Once you choose a secure password, never share it with anyone, not even a system administrator.

Finally, if you absolutely must write down your password, follow a few basic precautions:

• don't write it down — choose another password, one that's easy to remember;
• don't identify your password as being a password;
• don't write down the name of the system for which it is a password;
• don't write it on a note that you keep under your keyboard or anywhere near your computer;
• instead of writing the actual password, try to disguise it. For example, if your password is Wo58*Ng, write gWo58*N. Again, you should choose a system more complex than this, now that this has been published for the world to see.
• don't write it down. Really.

This should be enough to give you a good start. If you have any questions, your system administrator will probably have suggestions.