Strong Passwords

Common guidelines

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

• Include numbers, symbols, upper and lowercase letters in passwords if allowed by the system
• Password length should be around 12 to 14 characters if permitted, and longer still if possible while remaining memorable
• Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., dates, ID numbers, ancestors names or dates, …).
• If the system recognizes case as significant, use capital and lower-case letters
• Password should be easy to remember for the user, and not force insecure actions (e.g., the very insecure practice of writing the password down on a Post-It note stuck to the monitor)
• Avoid using the same password for multiple sites or purposes

The number of possible passwords increases exponentially as we increase password length. It should, however, be noted that including numbers and a variety of other symbols does not significantly affect the password’s security as it only affects the base, not the exponent.

Additional guidelines

Double a character consecutively, to discourage shoulder surfing, the technique whereby someone observes the typing over a shoulder. Don’t triple a character and don’t double more than one character. If the typist is fast, it’s hard to see how many times a key was consecutively pressed.

As a user might need access from a phone with a small keyboard, consider which nonalphanumerics appear on all models, if any do.

Examples of weak passwords

As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers— a common approach) may cost a password cracking device a few more seconds– this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy:

• Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. All are typically very easy to discover.
• Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., can be automatically tried at very high speeds.
• Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time.
• Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc., can be easily tested automatically with little additional effort.
• Doubled words: crabcrab, stopstop, treetree, passpass, etc., can be easily tested automatically.
• Common sequences from a keyboard row: qwerty, 12345, asdfgh, fred, etc., can easily tested automatically.
• Numeric sequences based on well known numbers such as 911, 314159… , or 27182…, etc., can easily tested automatically.
• Identifiers: jsmith123, 1/1/1970, 555–1234, “your username”, etc., can easily tested automatically.
• Anything personally related to an individual: license plate number, Social Security number, current or past telephone number, student ID, address, birthday, sports team, relative’s or pet’s names/nicknames/birthdays/initials, etc., can easily tested automatically after a minor investigation of person’s details.

There are many other ways a password can be weak, corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and not be readily derivable by any “clever” pattern, nor should passwords be mixed with information identifying the user.