Three Approaches to Creating and Protecting Strong Passwords
- Strong passwords are an important protection to help you have safer online transactions. The keys to password strength are length, complexity and time to refresh—especially length. An ideal password is long and has letters, punctuation, symbols, and numbers.
- Length: The minimum length required is 8 characters. If you choose to use the passphrase method, 15 characters or more are recommended in order to be effective (up to 30).
- Complexity: The greater the variety of characters in your password, the better (including uppercase, lowercase and special characters). Important: in our current environment, additional allowable characters that can add complexity are: * : ? (asterisk, colon, question mark)
Things to avoid when creating strong passwords
- Non-allowable special characters (any character other than * : ? (asterisk, colon, question mark).
- Beginning with a special character.
- Spaces and underscores.
- Dictionary words in any language.
- Words spelled backwards, common misspellings, and abbreviations.
- Sequences or repeated characters.
- Personal information: your name, username, birthday, driver's license or passport number, or similar information.
change your password every 12 months
The main problem, of course, is that a password that is long and complex is also hard to remember. The two methods below are ways to create strong passwords that can be remembered.
Method 1: Passphrase
Passphrases operate on the same principle as passwords and are used in exactly the same way. However, they differ from traditional passwords in two main ways:
- Passphrases are generally longer than passwords. While passwords can frequently be short (8 characters, passphrases have larger minimum lengths (15 characters) and, in practice, typical passphrases might be 20 or 30 characters long. Passwords/passphrases at Macalester can be up to 30 characters. This greater length provides more powerful security; it is far more difficult for a cracker to break a twenty-five-character passphrase than an eight-character password.
- The greater length of passphrases allows you to create a memorable phrase rather than a cryptic series of letters, numbers, and symbols. There are usually different rules for determining valid passphrases. Systems that use shorter passwords often disallow actual words or names, which are notoriously insecure; instead, your password is usually an apparently random sequence of characters.
A passphrase uses multiple natural words or phrases to construct the “password.” Because the characters that make up a word naturally have a relation to each other they can be thought of as atomic units. When you think of the word “chair” you don’t think of the letters c-h-a-i-r, you think of the single item you know to be a chair. So instead of thinking about a password as being made up of eight or nine characters, start to think of a passphrase as being made up of five or six words.
The added strength of a passphrase comes from its length. In fact, the six-word passphrase in the example is roughly equivalent to an eleven-character traditional password. The passphrase is superior, however, because we already know that people aren’t likely to remember an eleven-character password. So in effect, we’re getting the “strength” of a complex short password in a form that is easier for users to remember and easier for them to type.
Just as a traditional password is stronger when constructed of truly random characters, a passphrase is going to be stronger if it is made up of truly random words that have no relation to each other and make no sense as a true phrase. If this becomes too hard to remember, however, it is better to simply have a long memorable passphrase, perhaps with special character punctuation.
Finally, just as you wouldn’t want a single common word to be used for a traditional password, you don’t want a common phrase, lyric, title, quotation or cliché to be used as a passphrase.
While we’re not aware of any passphrase crackers that use pre-computed phrase dictionaries, creating one would be a trivial task. All of the following would be poor passphrases despite their use of added punctuation. Note: At Macalester these would not be allowable because spaces are not allowable.
To be or not to be, that is the question.
The early bird gets the worm.
Look before you leap!
He that is secure is not safe.
If you think a passphrase might be too common, consider misspelling at least one of the words.
Method 2: First Letter Mnemonic
Use the first letter of words in familiar sentences.
|WHAT TO DO||SUGGESTION||EXAMPLE|
|Start with a sentence or two (about 10 words total).||Think of something meaningful to you.||Long and complex passwords are safest. I keep mine secret. (10 words)|
|Turn your sentences into a row of letters.||Use the first letter of each word.||lacpasikms (10 characters)|
|Add complexity.||Make only the letters in the first half of the alphabet uppercase.||lACpAsIKMs (10 characters)|
|Add length with numbers.||Put two numbers that are meaningful to you between the two sentences.||lACpAs56IKMs (12 characters)|
|Add length with special characters.||Put special characters on each side of the numbers.||lACpAs?56*IKMs (14 characters)|
You can make up your own “rules” (e.g., when to use uppercase vs. lowercase, where to stick special characters, etc.), but as long as you’re consistent it should be easy to remember your passwords.
Method 3: Use a Password or Phassphrase Generator
- Authenticator Password Generator can randomly generate 10 strong passwords securely for you to choose from. It also gives you the number of guesses it will take, on average, to guess the passwords generated. For more information, see Where can I get a randomly generated strong password?
- Passphra.se generates a series of words you can use as a passphrase.
How to Protect Your Passwords
The easiest way to "remember" passwords/passphrases is to write them down. It is okay to write passwords or passphrases down, but keep them in a secure safe place such as in your wallet with your credit cards.
COMMON PASSWORD PITFALLS TO AVOID
Cyber criminals use sophisticated tools that can rapidly decipher passwords. Avoid creating passwords using:
- Dictionary words in any language. Single words in all languages are vulnerable.
- Words spelled backwards, common misspellings, and abbreviations. Words in all languages are vulnerable.
- Sequences or repeated characters. Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard (qwerty).
- Personal information. Your name, birthday, driver's license, passport number, or similar information.
FIVE TIPS TO HELP KEEP YOUR PASSWORDS SECRET
Treat your passwords with as much care as you treat the information that they protect. Use strong passwords or passphrases to log on to your computer and to any site where you enter your credit card number, or any financial or personal information—including social networking sites.
- Never provide your password or passphrase over email or in response to an email request.
Internet "phishing" scams use fraudulent email messages to entice you to reveal your user names and passwords, steal your identity, and more. Learn more about phishing scams and how to deal with online fraud.
- Do not type passwords/passphrases on computers that you do not control.
Computers such as those in Internet cafes, computer labs, kiosk systems,
conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Cyber criminals can purchase keystroke logging devices which gather information typed on a computer, including passwords and passphrases.
- Don't reveal passwords to others.
Keep your passwords/passphrases hidden from friends or family members (especially children) who could pass them on to other, less trustworthy individuals.
- Protect any recorded passwords or passphrases.
Don't store passwords or passphrases on a file in your computer--criminals will look there first. Keep your record of the passwords and passphrases you use in a safe, secure place.
- Use more than one password.
Use different passwords and/or passphrases for different Web sites and services. Test your password and/or passphrase with a password checker. Check your password or passphrase for strength by going to: https://www.microsoft.com/security/pc-security/password-checker.aspx