Creating a good password
Choosing a good password can be hard to do but to ensure you are fully protected online it is vital!
I. Passwords should never be:
II. Passwords should never be a simple algorithm applied against something in category I, such as:
III. Passwords should not contain information that can be automatically gathered by knowing your user name:
IV. Passwords should not contain personal information about you that can be gathered if you are targeted:
In summary, a good password needs to be something that cannot be derived in a semi-automatic manner. Categories I-III represent known information or easily derived information that can be exhaustively applied by a computer to break your password. Category IV represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem like a very remote possibility, if you are ever personally targeted, it is potentially much more damaging to you.
I. Passwords should never be:
- Any word in any dictionary, in any language
- Any formal name or nickname, including spouse's, children's, and pet's
- Any mythological or fictional character or race
- Any name of a place (city, country, cross roads, forest, or place of natural beauty), real or fictional
- Fictional terms
- Titles of movies, books, compositions
- The name of any author, composer, musician, actor
- Any special number
- Acronyms
- Phrases
- Fables or legendary characters or places
- Combinations of letters or patterns on the keyboard
- Religious figures, places, or events
- Anything you can imagine being collected into a list
(If a password fits in a list, you can presume someone has made up that list.)
II. Passwords should never be a simple algorithm applied against something in category I, such as:
- The "word" backwards
- Substituting numbers for vowels, r1ch2rd for richard
- Common substitutions for letters, 3 for e, mov3
- Appending or prefixing digits, apple639 or 123apple
- Appending or prefixing special characters, apple@ or $klingon
III. Passwords should not contain information that can be automatically gathered by knowing your user name:
- Your user name
- Your user index/number (for Unix the UID and GID)
- User name owner information (for Unix the gecos field) which commonly contains your name
- Information derivable from this information: your initials
- This category is similar to the first category. However, wheareas category I is static, category III depends on your account information and is dynamic.
IV. Passwords should not contain personal information about you that can be gathered if you are targeted:
- Your social security number
- Your student ID number
- Your phone number, your mother's phone number, your mother's maiden name
- Your passport number
- Your street address, the address where you were born
- Your license plate number
- Serial number from your camera, computer, stereo
In summary, a good password needs to be something that cannot be derived in a semi-automatic manner. Categories I-III represent known information or easily derived information that can be exhaustively applied by a computer to break your password. Category IV represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem like a very remote possibility, if you are ever personally targeted, it is potentially much more damaging to you.