Do not choose your password hastily. Choice of a poor password can result in your account being accessed by someone else and/or deactivated by the Computing Center staff.
It may seem that you don't have much if anything to lose if your password is guessed and your account is broken into, but that's not true. You can lose your good name, your reputation. People who break into your account are stealing your identity. You might be liable for crimes they commit using your accounts. Obscene, racist, threatening e-mail from your account, with your name attached, sent to your friends, family, peers, strangers and world-wide news groups, can be as difficult to overcome and correct as a public scandal.
First, bad passwords categories.
A. Passwords should never be:
| any word in any dictionary, in any language | any formal name or nickname, including spouse's, children's, or pet's | |
| fictional terms | the name of any author, composer, musician, actor | |
| titles of movies, books, compositions | any special number or all numerals: 12345677 99999999 or 911911911 | |
| acronyms | combinations of letters or patterns on the keyboard: qwerty | |
| phrases: yougogirl | great license plates you have seen: one2nv, 3vom, ibuy4u | |
| fables or legendary characters or places | neat word/letter combinations: aTdHvAaNnKcSe (THANKS in advance) | |
| religious figures, places or events | anything you can imagine being collected into a list | |
| any mythological or fictional character or race | all one case: sureischarming or DAVIDISFUNNY | |
| any name of a place (city, county, crossroads, forest, or place of natural beauty), real or fictional | ||
B. Passwords should never be a simple algorithm applied against something
in A, above:
| the "word" spelled backwards: special -> laiceps | appending or prefixing digits to a word: apple639 or 123apple |
| substituting numbers for vowel: richard -> r1ch2rd | appending or prefixing special characters to a word: apple@ or $klingon |
| common substitutions for letters: 3 for e, move -> mov3 | changing all or just the vowels of a word: banana -> bAnAnA b1n2n3 or b*nana |
C. Passwords should not contain information that can be automatically
gathered by knowing your user name:
This category is really an addition to category A above, but is dynamic
depending upon your account information; category A is
static.
| your user name | user name owner information (for Unix the gecos field) which commonly contains your name |
| your user index/number (for Unix the UID and GID) | information derivable from this information: your initials |
D. Passwords should not contain personal information that can be gathered
if you are targeted:
| your social security number | your license plate number | |
| your student ID number | your street address, the address where you were born | |
| your passport number | serial number from your camera, computer, stereo | |
| your phone number, your mother's phone number, your mother's maiden name | ||
This may seem to be just about everything, right? A good password needs to be something that is not derivable in a semi-automatic manner. The above categories A-C represent known information, or easily derived information, that can be exhaustively applied by a computer to break your password. Category D represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem to be a very remote possibility, if you are ever personally targeted, it is potentially much more damaging to you. (It's personal, beware!)
Three final items.
(1) Make sure you know how many characters the system allows for a
password: a good 14 character password may become a terrible password if
the system only uses the first 8 characters. The maximum number of characters
for a password on the Slate cluster is 8. Passwords on the Computing Center
PC network should be 8 to 14 characters.
(2)Make sure you know which characters are un/acceptable by the system.
Known unacceptable characters on Windows NT systems are:
" / \ : ; | = , + * ? <
>
(3) Look at your password selection to make sure it doesn't duplicate
a bad password: a (usually) good personal password generation algorithm
can generate a bad password; the good and the bad may be the result of
orthogonal approaches intersecting with a bad password. For example, a
potentially good password, xr3pall, would be bad if your name was
Xavier Richard Pall, III.
Now, methods for generating good passwords.
First, if the maximum password length is long enough, you can use two
unrelated words together, perhaps separated by some punctuation or numbers.
Examples: peddle$skew embargo!.umber orange34xerox
nova::orient
But not: peanutbutter or lionhunt
Note that if the maximum password length is eight characters, embargo!.umber
is truncated to embargo! which will be cracked.
Second, use the first letters of words in a memorable phrase. The phrase
"Mary had a little lamb" produces the password Mhall. Obviously,
memorable is good but traditional or classical is risky. Make up your own
phrase...
"I got a speeding ticket on 6th Avenue" generates: igasto6a
"He ate 9 hotdogs in 1 minute!" generates: ha9hi1m!
Third, use grossly misspelled or mispronounced words with mixed cases.
Be careful that you don't just substitute phonetic spellings.
Examples: fumigate -> FooMiGayT
migraine -> MuhGrayNee waterbuffalo
-> witTerbifLow
Fourth, tighten up a good password into a better password: use both
upper and lower case characters, add punctuation and/or numbers, depending
on what the system allows.
Examples: igasto6a -> iGAsto6A or Igasto6A
DAVIDISFUNNY -> daVIDb!Fu~~Y
Fifth, if you have a good memory, use eight or more, preferably the maximum allowed, random characters.
It is critical to "tighten up" passwords that are eight characters or less. Simple, short passwords are easily cracked (decoded). The number of characters that make up a "short" password keeps growing as computers get faster. (What is considered sufficient length for a password today will be short in the future.)
After you have created a good password, how do you improve the odds of remembering it? Use your new password immediately: change your password and then logout and log back in. After ten minutes (about the length of short-term memory) use your new password again: logout and back in. (Changing your password Friday afternoon just before leaving for the weekend can make the new password very difficult to remember). If you absolutely need to write down your password, make sure that anyone seeing it or finding it cannot determine what it is: make sure that it is unrecognizable and cannot be associated with your account/user name. This is the same principle that applies to the pin number for your credit/bank card - and it can be even more costly.
How often do you need to change your password? The effective half-life of your password depends on its exposure. Piano players can read your keystrokes if they can see your hands. Did you write down your password? (If you had to write it down, the fact it was a necessity does not lower the resultant risk). Was it accidentally displayed on the screen? Did you login from the hospitality suite at the conference? Do you have a nagging feeling that you should change it? Is it a good, strong password? It is better to have a good password for months than a bad password for days.