How to choose good passwords
On this page:
- What not to do when choosing a password
- The best method for choosing passwords.
- How long does my password have to be?
- Can I write my password down?
- Why is this important?
- Additional information
- Do not re-use passwords. SCS accounts have been broken into because the password for their SCS account was the same as that for a site whose password database had been compromised (e.g. LinkedIn, Adobe, etc).
- Do not choose a password based upon personal data, such as your name, your username, or other information that one could easily discover about you from searching the internet or knowing personal information about you.
- Do not choose a guesable password. Guessable passwords include words (English or otherwise), proper names, names of TV shows, the account's user name, keyboard sequences, and anything else that one would expect a clever person to put in a "dictionary" of passwords.
- Do not choose a password that is a simple transformation of a word, such as putting a punctuation mark at the beginning or end of a word, converting the letter "l" to the digit "1", writing a word backwards, etc. For example, "password,123" is not a good password, since adding ",123" is a common, simple transformation of a word.
- Do not choose passwords less than 8 characters long or that are made up solely of numbers or letters. Use letters of different cases, mixtures of digits and letters, and/or non-alphanumeric characters.
The single best method for generating passwords is to do the following:
- Make up a sentence you can easily remember. Some examples:
- I have two kids: Jack and Jill.
- I like to eat Dave & Andy's ice cream.
- No, the capital of Wisconsin isn't Cheeseopolis!
- Now take the first letter of every word in the sentence, and include the punctuation. You can throw in extra punctuation, or turn numbers into digits for variety. The above sentences would become:
As you can see, the passwords generated by this method can be fairly secure, but are easy to remember if the sentence you pick is one that is easy for you to remember. In cases where an application allows long passwords, you could possibly use the entire phrase as your "password".
Another password selection method
If you don't wish to use the above method, the following method also generates "reasonably" secure passwords (though not quite as good as the method above) that may be easier to remember:
- Choose two or more unrelated words such as:
- unix & fun
- book & goat
- august & brick
- Join the words with a non-alphabetic character or two.
- Make at least one change (for example, uppercase a letter or add another character) to one or more of the words (preferably not just at the very beginning or end of the password).
Some example passwords generated using this method:
In general, the longer a password is, the harder it is for somebody to guess or brute-force it. Password selection trades off security with convenience and the ability to remember it. Eight characters should be the absolute minimum length. SCS Kerberos passwords may be of practically unlimited length (the limit is at least several hundred characters).
In a Windows environment, there are may be security advantages if your password is 15 characters or longer.
You should avoid writing down your password or giving it to others. You should especially avoid writing it down and leaving it in a non-secured place such as on a post-it on your monitor or a piece of paper in your desk. If you absolutely must write something down, we suggest doing the following:
- Don't write down the entire password, but rather a hint that would allow you (but nobody else) to reconstruct it.
- Keep whatever is written down in your wallet or other place that only you have access to and where you would immediately notice if it was missing or someone else gained access to it.
It is very common for intruders to attempt to break-in to systems (both Unix and Windows) at SCS by trying to guess people's passwords. Sometimes they succeed, and when they do it is often because people chose very poor passwords, such as "password", or "administrator", or a password that is the same as the user name. These break-ins can result in a significant amount of downtime, lost work, and loss of privacy (for example, if there is are social security numbers or other personal data data on the system). Intruders also may install keyboard sniffers that let them gather additional passwords and put more machines at risk. They can also conduct dictionary attacks against a host's password database, and try thousands of potential passwords per second.
The following off-site links will open in a new browser window:
- Bruce Schneier on choosing good passwords, along with a discussion of password cracking.
- Searchable database of compromised accounts from various breaches, for searching if your acount has been compromised.
- Ten Windows Password Myths
- Discusses some misconceptions about choosing passwords under Windows (and with some application to Unix) and provides some helpful additional information about ways to choose good passwords. A bit dated, but still some useful info.