Guidelines for good passwords

The security of our cluster relies in large part on the security of users' passwords. Passwords are checked regularly for strength and users with weak passwords may be locked out.

Understanding the threat

Computers connected to the Internet are almost constantly under attack. Many of these attacks come from automated "bots" that attempt to guess passwords, either by trying common words or simply trying random combinations of characters. The goal is to break into accounts so that they can then be used to send spam or break into other machines.

Things to avoid

Some passwords are particularly easy for automated programs to guess. Avoid using the following as passwords:

  1. Your username, or a derivative of your username (e.g., your username backwards or with a number on the end.)
  2. The word "password".
  3. Your name.
  4. Single, common words. A word like "something" is a very weak password. "something1" isn't really much better. While trying an entire dictionary's worth of passwords would be very tedious for a human, it's trivial for a computer program.
  5. Sequences of adjacent keys on the keyboard (like "qwerty")

How to pick a good password

Besides avoiding the problems noted above, a good password should meet the following criteria:

  1. It should be at least 8 characters long. This makes brute-forcing the password by trying random character sequences less practical. Generally speaking, the longer the better.
  2. It should either consist of multiple words, or contain numbers and punctuation marks.

The best way to create a strong, memorable password is to use a three or four-word passphrase that is memorable to you, but not an obviously common sentence; this XKCD cartoon points out why. Much of the password advice you'll read elsewhere (suggesting using short nonsense words and replacing letters with numbers) is based on obsolete systems that only allow 8 character passwords. On our system your password may be up to 79 characters and may contain spaces.

Remembering your password

Even with a good mneumonic, remembering your password is sometimes difficult. If you feel the need to write it down, do so, but do not store the password on or near your computer. I often suggest that people write it on a slip of paper and put it in their wallet. Naturally, if you do this and then lose your wallet you should change your password. ;)

If you happen to forget your password it can be easily reset. Just email linghelp@u from your UW email account, and a new temporary password will be emailed to you.

Topic revision: r2 - 2011-08-10 - 17:40:32 - brodbd

This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
Privacy Statement Terms & Conditions