- Use a password with mixed-case letters. Use uppercase letters throughout the password.
- Use a password that contains alphanumeric characters and include punctuation, where supported by the operating system.
- Use a password with mixed-case letters. Do not just capitalize the first letter, but add uppercase letters throughout the password.
- Use at least six characters, eight characters for Windows NT.
- Use a seemingly random selection of letters and numbers.
- Use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard (also known as “shoulder surfing”).
- Change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows NT), the more frequently the password should be changed. This change stops someone who has already compromised an account from continued access.
- Use a network login ID in any form (reversed, capitalized, or doubled as a password).
- Use your first, middle or last name or anyone else’s in any form. Do not use your initials or any nicknames you may have or anyone else’s.
- Use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations.
- Use other information easily obtained about you. This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
- Use a password of all numbers, or a password composed of alphabet characters. Mix numbers and letters.
- Use dates e.g., September, SEPT1999 or any combination thereof.
- Use keyboard sequences, e.g., qwerty.
- Use a sample password, no matter how good, that you’ve gotten from a book that discusses information and computer security.
- Use any of the above things spelled backwards, or in caps, or otherwise disguised.
- Write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others.
- Use shared accounts. Accountability for group access is extremely difficult.
- Reveal a password to anyone.
- Use the first letter of each word from a line in a book, song, or poem. For example: “Who ya gonna call? Ghost Busters!” would produce “Wygc?GB!”
- Use the output from a random password generator. Select a random string that can be pronounced and is easy to remember. For example, the random string “adazac123″ can be pronounced a-da-zac, and you can remember it by thinking of it as “A-to-Z,1 through 3.” Add uppercase letters to create your own emphasis, e.g., aDAzac.2
- Use two short words connected by punctuation, e.g., T1me#0ff
- Use numbers and letters to create an imaginary vanity license plate password, e.g., 1H8work!
Common suggestions for constructing seemingly random passwords are:
A common theme of these suggestions is that the password should be easy to remember. Avoid passwords that must be written down to be remembered. If unrecallable, someone in your office may find the password you have written down, and compromise your network identity.
These guidelines and suggestions should enable you to choose strong passwords that will help you improve the security of your system.
The CERT/CC (Computer Emergency Response Team / Coordination Center), a federally funded organization based at Carnegie Mellon University, estimates that 80% of all network security problems are caused by bad passwords; therefore, good passwords are the simplest, and most important part of information security.