Guidelines for Secure Password Selection

The importance of picking a good, secure password can't be emphasized enough. It is extremely important that users change the passwords associated with their computer accounts frequently, and that they change them to something that cannot be guessed by someone else. This is because to the password is the way the computer verifies that someone logging in with your account (also known as your login or netid) is really you.

If someone else obtains your password, they can use your account to peruse your private data, including electronic mail; alter or destroy your files; and perform illegal activities in your name. And, in such cases, it is difficult to find out who the culprit is.

The following guidelines will guard against someone finding out your password and using your account illegally:

Make your password as long as possible. The longer it is, the more difficult it will be to attack the password with a brute-force search. Always use at least 6 characters in your password, at least two of which are numeric.
Use as many different characters as possible when forming your password. Use numbers, punctuation characters and, when possible, mixed upper and lower-case letters. Choosing characters from the largest possible alphabet will make your password more secure.
Do not use personal information in your password that someone else is likely to be able to figure out. Obviously, things like your name, phone number, and address are to be avoided. Even names of acquaintances and the like should not be used.
Do not use words, geographical names, or biographical names that are listed in standard dictionaries.
Never use a password that is the same as your account number.
Do not use passwords that are easy to spot while you're typing them in. Passwords like 12345, qwerty (i.e., all keys right next to each other), or nnnnnn should be avoided.
Change your password on a regular basis. Changing your password every 30 days is a good rule-of-thumb, and you should never go longer than 90 days before picking a new password. Do not reuse any previous password you have used. The longer you wait before changing passwords, the more difficult it will be to get used to the new one.

Try This If You're Having Difficulty Selecting a Good Password

If you are having difficulty picking a good password, one good method is to use the first letter of each word in a phrase you can easily remember. For example, "McDonald's is your kind of place" would be miykop. Another method is to intentionally use misspelled words, or words with a number or punctuation mark suffixed. Examples include: braekfast, kite276, and weather. (the period at the end is part of the password). But, don't copy any of these examples!

Here are some guidelines about what secure passwords should not include[1]:

Your name
Your spouse's name
Your parent's name
Your pet's name
Your child's name
Names of close friends or coworkers
Names of your favorite fantasy characters
Your boss's name
Anybody's name
The name of the operating system you're using
The hostname of your computer
Your phone number
Your license plate number
Any part of your social security number
Anybody's birth date
Other information that is easily obtained about you
Words such as wizard, guru, gandalf, and so on.
Any username on the computer in any form (as is, capitalized, etc.)
A word in the English dictionary
A word in a foreign dictionary
A place
A proper noun
Passwords of all the same letter
Simple patterns on the keyboard, like qwerty
Any of the above spelled backwards
Any of the above followed or prepended by a single digit

Good passwords[2]:

Have both upper and lower case letters
Have digits and/or punctuation characters as well as letters
Are easy to remember, so they do not have to be written down
Are seven or eight characters long
Can be typed quickly, so someone else cannot look over your shoulder

[1] Simson Garfinkel and Gene Spafford, Practical UNIX Security (Sebastopol, CA: O'Reilly & Associates, Inc., 1991), pp. 33-34.

[2] Ibid., p. 35.