Selecting Good Passwords
RationaleWhat Not to Use
What to Use
Ideas for Choosing Secure and Easy to Remember Passwords
Change your NetID password
Rationale
When choosing a password, the object of the game is to make it as difficult as possible for a cracker to make educated guesses about what you've chosen. This leaves him no alternative but a time-consuming brute force search, trying every possible combination of the 95 ASCII characters (letters, numbers, and punctuation marks) which can be used to construct a legal password. Modern desktop hardware and cracking software can perform on the order of 100,000 password comparisons per second. At this rate, a cracker would need about 1,000 years, on average, to guess a password of 8 characters, if the characters were randomly selected.
Anyone, however, can use readily available desktop hardware and software to guess a poorly chosen password in minutes. How? By using software tools which "understand" how people typically select passwords. For example, because we find it very difficult to remember truly random strings of characters, we might select a password based on an actual word in our first or second language, perhaps adding a digit or two to the end. Or we might pick a favorite word, or someone's name, and spell it backwards. Unfortunately, behaviors like these are highly predictable, and thus the passwords we tend to pick can often be guessed in minutes by password cracking software.
Choosing a good password then, comes down to avoiding the kinds of character string patterns a cracker's software will be looking for, while still coming up with something that you can remember without having to write it down. The following guidelines are meant to help you pick a password which you can remember, but which no one else can predict.
What Not to Use
- Don't use your login name in any form (as-is, reversed, capitalized, doubled, etc.).
- Don't use your first or last name in any form.
- Don't use use your spouse's, child's or pet's name.
- Don't use other information easily obtained about you. This includes license plate numbers, telephone numbers, zip codes, social security numbers, birthdates, the brand of your automobile, the name of the street you live on, etc.
- Don't use a password of all digits, or all the same letter.
- Don't use any short word or letter pattern repeated two or three times.
- Don't use any word contained in any dictionary, in any language.
- Don't use the name of any person or place, either real or fictional, no matter how obscure it seems to you.
- Don't use any word (dictionary, person or place) followed by or preceded by a single digit or punctuation mark.
- Don't use any word spelled backwards.
- Don't use a password shorter than six characters.
What to Use
- Do use a password with both upper case and lower case letters.
- Do use a password with at least one number.
- Do use a password with nonalphabetic characters, e.g., digits and/or punctuation marks.
- Do use a password that you can remember, so you don't have to write it down.
- Do use a password that you can type fairly easily and quickly. This makes it harder for someone to steal your password by watching over your shoulder.
Some Ideas for Choosing Secure and Easy to Remember Passwords
Caveat: Do not use any of these sample passwords as your own!
- Choose a line or two from a song or poem, and use the first letter of each word. For example, ``And I'm crazy, for loving you'' becomes ``AIc,fly''.
- Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that are usually pronounceable, and thus more easily remembered. Capitalize some of the letters. Examples include ``routBOO'', ``QuadpoP'' and so on.
- Choose two short words, capitalize some of the letters, and concatenate them together with a punctuation mark or number between them. For example: ``DoG;RaiN'', ``bOOk+mUg'' or ``Bob8Crow''.
-
Adapted from
- Improving
the security of your UNIX System
National Institutes of Health
ITSTD-721-FR-90-21