A well-chosen password improves the security of your account, files, and computer. Given sufficient time and resources any password can be guessed. We can protect our resources by making our passwords as difficult to guess as possible, thereby increasing the amount of time required to guess them.
A password is only as good as it is unpredictable. One of the most common methods used to break into computer systems is to look at a list of the users and try to guess their passwords. It is a simple task to write a program which tries such obvious things as the user’s name (capitalized or not), common nicknames, the user’s phone number, and any word found in a standard dictionary.
One of the greatest strengths of a password comes from its variety. There are 47 keys on the standard US keyboard that have two possible output characters usable in a password, giving a total of 94 possible characters that can be easily chosen for use in your password. The more you make use of this variety, particularly the more obscure portions of it, the less likely it is that someone will guess your password quickly.
One of the greatest strengths of a password comes from its length. Probability theory tells us that each additional character in a password multiplies the amount of work a password guessing program must do to break your password. A three character password made up of only characters A through Z (in either upper or lower case) can be guessed in just over 140,000 tries. A password of 8 characters potentially using the full 94 character space would require over 722 quadrillion (1 quadrillion = 1,000 trillion) guesses.
A strong password combines length, variety and non-predictability.
Advice for Choosing a Strong Password
- Use at least one upper case letter (A-Z), digit (0-9), or punctuation character (such as the period, comma, dash, etc.)
- Use made-up words that could never be found in any (even foreign language) dictionary.
- Use a mix of upper and lower case characters
- Do NOT put special characters solely at the very beginning or end of the password.
- Do NOT use palindromes (sequences of characters that are the same forward and backward).
- Do NOT include runs of three or more characters (such as aaa).
- Do NOT use an identifiable sequence of numbers (patterns such as your Social Security number, birth date, telephone number, postal code, etc.).
- Do NOT include anything in your account information, such as your login name, email address, or initials.
- Do NOT use a common word, or any word that can be found in an English or foreign language dictionary.
- Do NOT use proper names or fictional characters.
- Do NOT use a simple left-to-right or right-to-left sequence of keyboard characters.
The Passphrase Concept
A password is only good if you are the only person who knows it. Since complex passwords are hard to remember, people often resort to writing them down, or else choose less complex passwords. To make it easier, we suggest you use passphrases in place of passwords.
A passphrase might be created by taking a sentence and selecting the first letter from each word. For example, consider the following sentence: “A good password is long, complex, unpredictable, and known only to me”. We could take just the first letter from each of these words to come up with the passphrase “agpilcuakotm”. It’s unlikely anyone will guess that is your password, but as long as you remember the phrase, you’ll always be able to type the password.
Make substitutions of characters to increase the complexity. The passphrase “agpilcuakotm” is not very complex. To help that, we can do two things. One, we can add the commas from the phrase into the passphrase to get: “agpil,c,u,akotm”. We can introduce random capitilization as well: “aGPil,c,u,akotm”, and finally make substitutions like using the equal sign for “is” and the number 1 for “only” to get “aGP=l,c,u,ak1tm”. It is very unlikely that anyone will guess this password randomly. It also has sufficient length to be a kerberos password even though the phrase used to create it was easy to remember.
Another common technique is to include the transposition of letters in the passphrase.
Recommended Password Rules for Administrators
Most modern operating systems provide a way for the administrator to require certain characteristics in a password before it can be set. It is recommended that you implement this feature and enforce the following guidelines:
- Require at least eight characters. Try not to limit the maximum length.
- Require the use of numbers, letters, and punctuation.
These requirements and more are required for BU Kerberos passwords.
These requirements are standard for systems using npasswd (IS&T installed Solaris and SGI systems and BU Linux systems for local passwords).
To set these requirements for your Windows users, read this.
Please also read our advice for Setting the Administrator password on Microsoft Windows systems.