Choosing a Strong Password
Passwords Defined
The computer security industry defines a password as a token of identity. Generally this token is used to authenticate users to computer systems, networks and applications using a "known secret" or piece of information unique to the individual. Passwords have become a way for an indvidual to prove their identity in a limited capacity. While other technologies exist to decrease the rate of error (biometrics, multiple authentication levels, etc.), passwords are the most common method available.
Why Choose a Strong Password?
A computer password is the first level of defense in protecting your computer, computer files and other data. Many attacks against computers rely on weak passwords based on dictionary words, birthdates and other ``weak'' methods.
It is important for us to define the different types of characters before moving on in this document. The following characters are found on standard US101/104 keyboard and are usually available to applications and operating systems.
| Type | Characters |
| Alpha |
ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz |
| Numeric | 0123456789 |
| Special | ~`!@#$%^&*()_+-={}|[]\:";'<>,.?/ |
| Non-printable | ALT+012, CTRL+G, etc. |
The best way to protect your computer is by choosing a "strong" password. But how can a strong password be chosen? Simple!
- Passwords should begin with an upper or lowercase alpha character.
- A password should be at least eight (8) characters in length. Longer passwords are encouraged as they are harder to guess or crack!
- Passwords should not be based on any dictionary words (any languages, slang terminology or technical terms), birthdates, passages from literature, song lyrics, computer names or your login ID. A general rule of thumb: if the string of characters is printed anywhere in any media, it can easily be guessed.
- A password should contain a mix of upper and lower case alpha characters, numerals and special characters.
- Passwords should not be shared between systems (see below).
- A password should be changed every three (3) to six (6) months.
- Passwords should never been written down -- they should be committed to memory and only reside there.
Security Requires Inspiration
Now that you've read the rules and are ready to change all 19 passwords you use (we're always wishing for a perfect world!), it's time to generate a password. After authenticating to the computer or application, you start to think about a new password....and think...and think. It's not easy, we've been there and know how difficult it is to come up with crafty strings of letters.
A good solution is to generate a phrase or sentence that you can easily remember, then use that phrase as the inspiration for your password. We'll take the following sentence as our inspiration.
As Mars comes closer, I long to go home!
Using a simple rule of choosing the first character out of this phrase, we can generate a password as such:
AMc,Il2gh!
That simple formula has produced a ten (10) character password that will protect you against most modern-day passwords cracking programs for thousands of computing years.
Sometimes Sharing Isn't Good
Although most of us have been told, at some point in our lives, that sharing is good, it is not good when dealing with passwords. Why? Often times a compromised computer will allow attackers to download "password hashes," or passwords stored in a irreversible algorithm. Unfortunately, those passwords can usually be discovered using numerous utilities within a matter of days.
The simple solution to this problem is the use a unique password for each application or computer system that you log into. As this list grows, you may be interested in using an application such as Pretty Good Privacy or the GNU Privacy Guard to secure your list of passwords with a common password. We have a tutorial available on installing and using PGP, and recommend you start there. Users interested in GnuPG should feel free to contact us for more information.
Feel Free to Contact Us
If you have questions regarding computer or network security, feel free to contact us with those questions. We will help in any way possible. Also, sign-up for our computer and network security vulnerability alerting service; more information visit our Security Bulletins Website.
© 2001-2007 | DePaul University | Disclaimer | Webmaster
1 E. Jackson Chicago IL 60604 | 312-362-8000