Choosing a Good Password

Note: much of this is now outdated advice. For example, 7-8 characters are not nearly enough. It could even be argued that passwords are a broken system. If you don't have the luxury of using something else, you'd be better off choosing a passphrase.

Many of us work with sensitive and/or confidential information that is protected by little more than a username and password. It is essential that you choose good, secure passwords. However, it may not be obvious to you what constitutes a secure password. These are some tips to help you choose a good password.

If you read nothing else, read this.

Passwords should be:

If your password is so complex that you need to write it down, choose another one.

For details on how to choose a secure password, read this. For a more detailed discussion of why you should be concerned, read on...

Why worry about passwords?

A significant percentage of computer break-ins can be traced to a poorly chosen password. Passwords are therefore among the most crucial — and most often exploited — aspects of computer security. One bad password can potentially compromise an entire system's security. If a user's password is discovered, an attacker can lurk around for months posing as that user and probing other security weaknesses at leisure.

If you work with confidential information, then you need to protect the confidentiality of that information with a solid, well-chosen password. Using a poor password risks exposing confidential data.

What's a poor password?

An easily cracked password has one or more of the following characteristics. Do not use any of the following in your password:

What's a good password?

Good passwords:

How do I choose a good password?

Although the above restrictions may seem intimidating, choosing a password can be easy.

  1. You could do something simple like picking two words, splitting them into non-dictionary words, and adding a number and other characters to the middle:

    "wonderful morning" becomes "Wo58*Ng" (note that at least one letter is capitalized).

  2. Another method is to use a sentence like:

    I bought 3 sandwiches for lunch today, George

    and turn it into a password such as:


    using the first letter of each word, substituting numbers for words when possible (2d = today). This looks like a gobbledegook password — which is good, because it's hard to crack.

  3. Another good system is keyboard patterns — type out a pattern on your keyboard (being sure to use numbers and the shift key occasionally). Be careful not to use simple patterns like qwerty!
  4. If you have access to more than one system, you should use a different password on each one. Do not use your login password as the password on any other system. This might seem difficult, but you might simply modify a base password on each system you access.

    For example, on a computer called isis, the base Ib3s4l2d,G could be modified to Ib3s4l2d,Gi, while on a computer called metro1 the password could be changed to Ib3s4l2d,Gm.

    Obviously, because this method has now been published, you should choose another system for varying your passwords.

Once you choose a secure password, never share it with anyone, not even a system administrator.

Finally, if you absolutely must write down your password, follow a few basic precautions:

This should be enough to give you a good start. If you have any questions, your system administrator will probably have suggestions.