Good Password Practices
Top of Form
It can be difficult to choose a good password. The password should be fairly long and shouldn’t be guessable, but at the same time, it should be easy to remember.
1 Here are a few reminders of good general password practices:Choose a good password that will be hard to crack.
Use a mix of numbers, letters and non-dictionary words to create strong, hard-to-crack passwords, and never give your password to anyone for any reason. For technical reasons, some systems have a fairly short limit on the length of a password. While the examples below are often longer than eight characters, the concepts for selecting passwords work just as well with any number of characters.
Avoid using dictionary words or names in any form. Backwards or forwards, Chinese or Norwegian, any word or common name can be guessed by hackers’ programs.
Dictionary words are any common words, names, dates, or number, including words in foreign languages. One standard method that is frequently used when attackers attempt to guess passwords is a brute force attack. In a brute force attack, the attacker basically tries possible passwords over and over again until they manage to break into the account. Often they try dictionaries of commonly used passwords. We have seen dictionaries in English, Finnish, German, Japanese, Latin, Spanish, Italian, Chinese, Norwegian, Swedish, Chinese, Yiddish, Dutch, common jargon from Biology, Physics, Computers, common female names, common male names, names from cartoons, movies, television, Shakespeare, religion, mythology as well as common and famous place names. It wouldn’t surprise us to see dictionaries of Farsi or Akkadian words, either. *Avoid using words or names, regardless of the language.*
Don’t use common misspellings of dictionary words (including replacing “l” with “1” and the like).
Many of the dictionaries include both common misspellings and words with letters replaced with similar looking numbers.
Don’t use the name of the computer or your account. This is too simple.
Since these can be found out, this kind of password can be very easy to guess.
Don’t use sample passwords, such as the ones on this page.
If the password appears in a document such as this one for the whole world to see, don’t use it.
A password should be between 8 and 16 characters. The longer your password is, the harder it is to crack.
Do not use simple patterns like abCDEFG, or keyboard sequences like qwertyUI. Simple patterns and sequences are easy to crack.
Use a mixture of upper and lower case letters, numbers, and punctuation. Often, this is required.
New password must contain characters from at least three of the character classes listen in the table below.
Category | Examples |
Uppercase Letters | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
Lowercase Letters | abcdefghijklmnopqrstuvwxyz |
Numerals | 0123456789 |
Symbols | !@#$%&*() -+= _|\ [] {} <> ,.:; |
Avoid using characters that don’t appear on a standard US 101 key keyboard. This may cause you trouble later on.
While some systems may allow you to use “unprintables”, an accented character, u-umlaut or a Euro symbol, don’t count on it working correctly. Characters that aren’t easily typeable on a standard US 101-key keyboard may not work correctly in all circumstances.
2. Never share your password; you may be held responsible for any emails sent by people with whom you share.
Your account is assigned to you. You will be held responsible for the activities of the account. Your password is like your signature; giving it to other people is like giving them the authority to sign your name — and implies that whatever they do has your approval. We do see cases where people will use someone else’s email account to send harassing email. Don’t let this happen to you.
Staff of the University will never ask for another individual’s CNet password via email, telephone, mobile phone, or any other communication device. If you receive a message claiming to be from a staff member requesting your password, do NOT share this information with them.
3. Don’t use the same password for all your accounts.
Never use your operating system password for your social networking pages or low-security accounts. You should choose separate, unique passwords for each account or service.
You can use different iterations of the same basic password. For example, the password M’sCMh8196wii! could become m’sCMH8196wii! or M’sCMh8197wii! The password protecting your most sensitive information should always be different from other passwords.
4. Avoid using non-secure networks at places such as hotels, cafes, etc. to send private information.
Don’t access sensitive information using your CNet password on public networks or public computers (e.g., computers in a hotel lobby, library or Internet cafe). Using remote software
hackers can access your username, password, and other private information by tracking your keystrokes.
5. Change your password after using a non-secure network.
You should change your password after using a public or internet cafe network the next time you are at a secure machine.
6. Change your password with some frequency.
The longer that you have used your password, the more likely it is that someone else will manage to figure it out. Just how frequently you should change your password depends on how frequently you use it and what you are protecting with it. For example, you may wish to change a password used to give access to financial information more frequently than one to give access to read the news on a web page.
7. Change your password after traveling abroad and using non-secure networks or machines.
If you frequently access wireless networks overseas, you should change your password the next time you are at a secure machine.
8. Never store your password in a program, even if the program or browser asks you to.
Many email clients, web browsers, and web services will offer to store your password for you so that you don’t need to type it in each time you want to use it. This is a bad idea — it is generally trivial for people to recover your password from inside one of these programs if they have access to your computer (and sometimes even if they don’t).
It is also possible for some computer viruses to recover your password from such stores and email them to random people or post them publicly on the Internet. Such viruses may even distribute the password before anti-virus software is able to locate and remove the virus.
9. Never write down a password. If you do, be sure to shred it as soon as possible.
Passwords that are written down can be easily stolen. While receiving a new password or passwords you may wish to write down your password until that you have a chance to memorize the password or passwords. If you do this, you should take extreme care not to lose the paper you have written it on. You should destroy the paper (e.g. tear it to shreds) once you have learned the password or passwords.
Password standards
Your password must be between 8 and 16 characters in length, contain characters from at least three of the categories below, and must not be based on a dictionary word or a simple pattern such as ABCdefG. Your password must also not match any password your previously used.
Category | Examples |
Uppercase Letters | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
Lowercase Letters | Abcdefghijklmnopqrstuvwxyz |
Numerals | 0123456789 |
Symbols | !@#$%&*() -+= _|\ [] {} <> ,.:; |
Specific Methods for Selecting Good Passwords
Use letters from a phrase or song lyric.
Think up a phrase. For example, “Marx’s Communist Manifesto has 8196 words in it!”. Once you’ve decided on the phrase, choose the first (or last, or the second, or whatever) letter from each word. “Marx*’s* Communist Manifesto has 8196 words init*!*”
You’ll notice that in this example we’ve decided to include all the punctuation. This is to improve the quality of the password.
So, your password would be M’sCMh8196wii!. It is a nice, long password with a good mixture of character classes.
Combine a few pronounceable nonsense words with punctuation.
For example nuit+Pog=tWi. Pronouncable nonsense words are easier to remember than random characters. In our example we have combined together the nonsense words in a way that is similar to a arithmetic formula which makes it easier to remember. You may want to use other punctuation for similar reasons. Another example might be Fp@par().
Handling Large Numbers of Passwords
People often find that they need to juggle multiple passwords for their email accounts, web sites they visited, and different Internet-based services that they wish to use. While it is impractical to create a completely different password for every web site or account, using the same password in multiple locations is very dangerous: if the password is stolen from any one of the places where it is used, it can be used elsewhere as well.
Below are a few ideas on various ways to handle the increasing number of passwords that seem to be required these days while not making the passwords easy to guess.
Consider what the password is protecting when choosing a password. Some services may not require as secure a password if they do not contain any private information.
Many passwords protect configuration settings rather than protecting access to sensitive data and/or access to email or other network services. Use a single password for all such services. If the password is not protecting access to any personal or financial information or allows other people to impersonate you (for example, by sending email as you), you probably don’t need to keep it as secure. If you are not sure, always use a different password than you use on any other site.
Consider your password as multiple parts: a central core of the password and a prefix and/or suffix which is specific to the service that is being protected.
For example, your core might be “gPw4”, from “genericPassword 4 (for)…” If this password is to be a password for the New York Times Web Site, you might choose to add “NYt” to the beginning of the password and “n” (for “news”) to the end. This would make your password: NYtgPw4n. Your password for eBay might be eBgPw4A (“A” for “auctions”).
The passwords protecting your most sensitive information should always be different than other passwords.
Choose a formula such as the ones described above for the passwords that are less important and typed infrequently. For the most important passwords, choose something that is in no way related to any of your other passwords.
Bottom of Form