Guidelines For Choosing a Good Password
IT Security Office (ITSO), San Diego State University
It is easy to break into any account with a "bad" password. Such break-ins compromise the whole system, so all users must bear the resposibility of choosing good passwords.
- The "best" passwords contain a mixture of uppercase letters, lowercase letters, numbers and punctuation (e.g. "lap5Dog%", "Whoosh?", "sUpEr8", "BIGpig!!"). The first characters of a memorable phrase in mixed case with additional numbers/punctionation would make a good password. For example, Mary had a little lamb: "5Mhall!"
- A password should be at least six characters long, preferably seven or eight. Anything beyond eight characters will be ignored.
- Any typeable characters are acceptable.
- The case of a letter is significant (e.g. "Sparc" and "sparc" are different. This is generally true in Unix).
- DO NOT use anything that can be found in any dictionary (e.g. "vorticity", "encomia", "Mervin" are obscure but they occur in common dictionaries so they should be avoided). This includes foreign words, slang, jargon, and proper names (e.g. "sayonara", "reboot", "Keohane").
- Avoid any names, words, numbers or abbreviations that can be found in your personal data (e.g. social security numbers, maiden names, name of relatives, any dates).
- Avoid passwords that can be "guessed" by knowing something personal about you. This includes nicknames, names of pets, names of significant others, anything from your favorite TV show (Trekkies beware!), your favorite book, lines from your favorite songs, etc. (e.g. "Picard", "NCC1701D", "Sparky").
- Avoid simple variants or permutations of any of the above (e.g. S's replaced by 5's, E's replaced by 3's, O's replaced by 0's, your name backwards, your login name repeated or backwards).
- DO NOT share your password or write it down anywhere accessible. System Administrators can give you a new temporary password if you forget it. You must change this immediately, using the UNIX passwd program.
- Change your password periodically.
- Users who have accounts at other sites should use a unique password for each account, in order to contain the damage done if one of the passwords is compromised.
- Do not use any passwords used in this document!