How to ... Select a Safe Password

Password Security is Important!

Applying the techniques outlined below make the length of time required to break a password prohibitively long.

Time required to break a password drops significantly as each letter is guessed, or other information is known about a password.

Password Standards and Complexity

As per the NIST Digital Identity Guidelineshttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

  1. A password should never be reused.
  2. The longer the password, the harder it is to crack.
  3. While the new NIST standard does recommend the move away from comprehension rules (special characters, numbers, and upper and lower case letters), the recommendation is that this be done in conjunction with automated screening of new passwords (section 5.1.1.2: Memorized Secret Verifiers).  So, new passwords created would run against algorithms that attempt to crack them versus working against a set of comprehension rules.  The issue with the implementation of the standard, is the state of technology today.   Most username and password systems, including Trent’s, does not function this way yet.  So, removing the password comprehension rules would allow a password to be “aaaaaaaa” and in the absence of automated screening, this would pass.  This is problematic, but the software vendors will catch up and comprehension rules will be replaced with screening rules in software in time. 

Trent’s current standard calls for passwords that are;

  • at least eight characters long,
  • contain at least one upper case letter, and
  • contain at least one number.

How to Select a Good Password?

  1. Think of a sentence that is memorable, eg.  I usually take my daughter to the zoo on Sunday to see the elephants.
  2. Create a passphrase from this sentence that can be used as your password eg.  daughterzooSunday4elephants.  Remember that Trent’s current standards still calls for one number and one upper case letter.
  3. Test your password with a verified password checker eg.  The Password Meter: http://www.passwordmeter.com/

Do's and Do Nots
DO DO NOT
Use a password of 8 characters or longer.  THE LONGER THE BETTER. DO NOT choose only the first letter as uppercase. For example, Ont37bo is not as good as OnT37Bo. 
Use mixed case. DO NOT simply replace "o" and "O" with "0", and "I", "l" or "L" with 1.
Include one number DO NOT reuse old passwords
  DO NOT use your user id as your password
  DO NOT use any single word from a dictionary (of any language) as most forms of password attack use dictionaries as a basis for password guessing.
  DO NOT use birthdays, car registration numbers, room numbers, department names, machine names, locations, wife/husband's names, pet's names, children's names and so on.  These may be determined as most of this information is not confidential
  DO NOT allow anyone to watch while you type your password.
  DO NOT use keyboard patterns (which someone watching could easily spot) such as qwertyuiop, or duplicating characters such as aabbccdd.
  DO NOT use words from other guessable word sets, such as famous names, proper names, colloquial terms (in various spheres of life), so on.
  DO NOT use the same password on multiple accounts. If one is broken, then all are broken
  DO NOT just change one character in the password as this may be easily spotted if one of the passwords is compromised.
  DO NOT record your password; either on-line or written down.
  DO NOT tell anyone your password. Do not share your password with your co-worker, partner, your children, your friends.
  DO NOT communicate your password to a person either verbally, by electronic mail or by any other means.

You can see that there are a LOT more DO NOT's than DO's, but following these recommendations will keep your data as safe as possible. 

Eligibility

  • Students
  • Staff
  • Faculty
  • Alumni
  • Applicants
  • Guests
  • Retirees
  • Professor Emeriti

Service category

  • Security

Last updated

Friday, August 11, 2017 - 15:03