Information Services & Technology

Creating Good Passwords

security@csuohio.edu
Creating good passwords can be problematic. Some like to create long passwords with imbedded special <<-xFn5 for example. Because these passwords are so hard to remember, they’re written down, which defeats the purpose of a complex password. Some go to the other extreme and create passwords that are very easy to guess, Jennifer, for example or, worse yet, password.

So what’s a good password and how do I come up with one? Here are some simple rules and suggestions that will make the creating and remembering passwords easy while cracking them hard.

First, don’t choose a password that’s eight characters or less. All combinations of eight character passwords and their hashed equivalent are available on cracker databases. For the non-technical, this means that all combinations of eight characters or less have been created, put on a database, and translated to their encrypted equivalent. With this database, a hacker has easy access to translate an encrypted password to its unencrypted equivalent in a fraction of a second. Therefore, choose a password that’s at least ten characters long, and preferably longer.

    1. Use lower case, upper case, numbers, and special characters when creating passwords. In general, the greater the variety of characters you use, the more secure a password is. Therefore, mydogisamutt is less secure than MyDogisaMutt, which is less secure than M!d0GiZ@mu7T. Remember, use more than eight characters.

    2. Use the first letters of a phrase to create your password. Remembering a phrase is easier than remembering a random list of characters. It’s easier to remember “Smells Like Teen Spirit by Nirvana is a great song!” is easier to remember than SLTSbNiagr8s! the first letter equivalent (more or less) of the phrase. The resultant password is quite good.

    3. Use multiple words to make a password. Dictionary attacks are password guesses taken from a dictionary. Combining words renders this type of attack useless. King and forest are bad passwords for a number of reasons, but KingoftheForest is much better.

    4. Convert words to numbers using a phone keypad. KingoftheForest could be translated to 5464oftheForest to make a good password even better, yet still memorable.

    5. Turn remembrances into passwords. Do you have a favorite memory that you think of often, but don’t share with anyone? Can you think of words that describe the memory? Here are some examples:

    • The title of your favorite poem, or a few selected words; JAlfProofrock, for example.
    • Several objects from your favorite movie; RubySlippersDorothy, for example.
    • Some terms from a favorite memory; ThanksgivingGma’s, for example.
    • Words from your favorite sport; Fore!holein1, for example.

    6. Separate two words with numbers or special characters. Going and home can be made into going==>home.

    7. Use different passwords for different systems. You should use different passwords for different computers systems. In other words, your gmail.com account password should not be the same as your hotmail.com or yahoo.com account passwords. How can we keep our passwords different yet still memorable? It’s easier than you might think if you prefix or suffix the name of the account to a common stem password. Here’s what I mean; let’s say your password is Smiley;-)Faces and you have the following accounts, hotmail.com, facebook.com, and CSU email. Here are some passwords that you can use:

                    Site:                                 Password:
                    hotmail.com                   Smiley;-)Faces.h
                    facebook.com                Smiley;-)Faces.f
                    CSU email                      Smiley;-)Faces.c

    You could also prefix the passwords with the ‘h.’, ‘f.’, etc. instead of putting it at the end. If you have a yahoo.com account and a yalta.com account, then you could prefix or suffix the root password with two, three, or more characters to get a unique identifier for each system. Be consistent, though. Don’t have ‘.h’ as one prefix and ‘.fa’ as another. The system that you use for creating the suffixes (or prefixes) must be consistent. This way you don’t have to remember the individual suffixes, you only have to remember the system, which is easier.

    8. Use different passwords for different types of sites. Some accounts are more important than others. If you use the same password for your parakeet appreciation account that you do for your bank, then a rogue system administrator may cause you headaches. With this recommendation, you’re changing the root password, and leaving the suffix (or prefix) creation system the same. Consider having different passwords for banking, eCommerce, and community sites.

    9. Change your password frequently. You should change your password often, at least every ninety days.

Okay those were ideas on how to create good passwords. Here are some things that you should keep in mind NEVER to do:
  • Never make your password the same as your User ID.
  • Never make your password something that is commonly known about you (i.e., your hobbies for instance; golfgolf, fishing!, backgammon, etc.)
  • Never make your password your birth date, address, or Social Security Number
  • Never make your password any word in the dictionary in any language.
  • Never make your password any word in the dictionary with simple character substitution (i.e., 0 for O, 1 for L, 3 for E, etc.)
  • Never make your password any sample password in this document.  You’ll have to think of your own.
  • Never write your password down.
  • Never tell anyone your password.
  • Never make your password an offensive name.  In those rare instances that you’re unavailable and your boss needs access to your computer, won’t you be embarrassed if your password is MyBossIsAn*ss!.h (or worse).