Who's Watching logo

Hot Topics

  • Mobile Data Security
  • Phishing Scams
  • Social Networking Sites

Other Stuff

  • Your Password
  • Viruses
  • Firewalls
  • Spyware & Adware
  • Your Paper Documents
  • Shopping Safely Online
  • Kids’ Safety Online
  • Identity Theft Recovery
  • Glossary
  • Cyber Security Tips

Additional
Tips & Info on Passwords

  • More excellent tips on choosing good passwords
  • Try the good password generator
  • Think you have a strong password? Enter it into the Strength Meter and see how it rates!
link to www.staysafeonline.org
  • Events
  • Topics
  • Resources
  • Tips
  • Press
  • About

Protect Your Password

Don't give away the keys to your castle

Sponsors

We gratefully acknowledge the generous contributions and support from our sponsors. The “Who’s Watching?” campaign owes a debt of gratitude to these companies for furthering the cause of cyber security awareness in our community. We thank them knowing that our efforts would not be complete without their support.

Current sponsors:

IBM logo

SANS logo

Identity Finder logo

Past sponsors:

Dell

Apple

Embarq

Office Depot

PrintSource

Passwords poster from Indiana University

Copyright Trustees of Indiana University, 2006

There are two ways to ensure you protect your password. Tips for doing both are below.

  1. Choose a strong password in the first place.
  2. And guard it very closely.

First step: Choose a good one.

Many people use ineffective passwords. Don’t be one of them! The more complex your password, the more likely it is to withstand attempts to crack it.

You may not realize that identity thieves and criminals often utilize sophisticated computer programs that enable them to test hundreds of thousands of possible passwords per minute. If yours is weak, it can be cracked in a matter of seconds—and your private information is susceptible. Some common password mistakes that people make include:

  • Making their password “password.” Duh!
  • Simply adding a number to the beginning or end. This takes only a little bit more than the basic word to crack.
  • Using sequences like “987654321” or “abcdefg”—or adjacent runs on the keyboard, like “qwerty.” Not complex enough.
  • Substituting similar symbols for letters, like “$tr33tcar” (streetcar). Advanced password-cracking methods check for this.
  • Spelling words “sdrawkcab” (backwards). That trick is well-known.
  • Using repeated characters more than twice, such as “3zzz4nnn.” Again, too easy.

Some basic “Do’s” and “Don’ts” to guide you in creating the best possible password are below.

Don’t:

  • Use your login name in any form (eg, as-is, reversed, capitalized, doubled, etc.).
  • Use your spouse’s or child’s or your own name or initials in any form.
  • Use other information easily obtained about you (eg, license plate numbers, telephone numbers, Social Security numbers, the brand of your car, your pet’s name, your favorite band or sports team, the name of the street you live on, your hobby, etc.)
  • Use a password of all digits, or all the same letter. Both significantly decrease the search time for an intruder.
  • Use a word contained in any dictionary in any language.
  • Use a password shorter than seven characters.
  • Use any of the sample passwords, good or bad, mentioned in this document!

Do:

  • Use a password with mixed-case letters (eg, AaBb) and use upper-case letters in the middle and/or end, not just the beginning.
  • Use a password with some non-alphabetic characters (eg, digits or punctuation).
  • Use a password that is easy to remember, so you don’t have to write it down.
  • Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.

Good passwords are difficult to crack, yet easy to remember

Now you may be thinking, “How could I possibly come up with a password that meets all these requirements, yet that I can remember and type quickly? If the password is sufficiently difficult to crack, I will need to write it down!”

But it’s not a good idea to write down passwords, as someone else can find the paper you have written it on (or the file you have put it in) and digitally impersonate you.

It is possible to come up with a better password that you can still easily remember. For many people, the key is to generate a pronounceable nonsense word or mnemonic device, which is easier to remember than simply random characters.

Some suggestions to help you come up with a stronger password—one that is difficult to crack, yet easy to remember:

  • Choose two short, unrelated words (like your favorite exercise, animal, flower, or weather, for example) and join them with an arbitrary number and/or symbol. Examples: “jump3$lily” or “dog+rain”.
  • Use first letters of a sequence. For example: your nephews (named Jeremy, Roger, and Allen) and their ages: “8Je9Rog12Alle”.
  • Make a really long password from a sentence. Examples: “IwentskydivinginApril87” or “0416istheBostonMarathon”.
  • Select a line or title of a song or poem, and use the first letter of each word. For example: “Who ya gonna call? Ghost Busters!” would produce “Wygc?GB!” or “You can’t always get what you want” yields “Ycagwyw.” Even better, throw in a number or punctuation mark in the middle: “Ycag$wyw”.
  • Alternate between one consonant and one or two vowels, up to eight characters. This creates nonsense words that are still usually pronounceable, and thus easily remembered. Examples: “routboo,” “quadpop,” and so on.
  • Consider treating your password as multiple parts: a central core and a prefix and/or suffix when needed that is specific to the service the password protects. For example: your core might be “gPw4” (that is, “generic Password for...”) and then if it’s a password for a newspaper website like the New York Times, you might choose to add “NYt” to the beginning or end of the password (“NYtgPw4”), while your password for eBay auctions might be “gPw4eBa” and your Yahoo! email password could be “gP4Y!e”.
  • Generate your own scheme very methodically. Start with a word, delete some character, perhaps the vowels. Throw in some numbers or punctuation. Continue making the rules for yourself. Choose something that would seem totally random to someone else but that makes sense to you. Use your imagination!

Second step: Keep it safe.

Once you’ve created a strong password, continue with the suggestions below to keep it safe:

  • Never share your password with anyone. This includes family, friends, significant others, computer support people, and bosses. If you need someone to read your email, many email programs (for example, Outlook) allow you use a “delegates” feature to enable certain persons do so without using your password. Check with your email provider.
  • Never say “yes” when your browser asks you if you’d like to save your password. Although it’s convenient, it’s not a good idea—especially when the computer you are using is shared. Some computer viruses can even recover your passwords from your Internet browser and then e-mail them to random people or post them publicly on the Internet. stop this from happening in the future and to remove passwords that are already stored.
  • Never write you password down. And if you absolutely must write down a new password the first time or two you use it and until you can remember it easily, be sure you keep it in a very safe, hidden place—not a sticky note stuck to your computer or your desk! Then, shred it—don’t just toss it in the trash—once you’re done.
  • Never send your password in email, even if the request looks official. If you receive e-mail from someone claiming to be your systems administrator, requesting your password because they supposedly need access to your files, ignore it. This is a popular phishing scam. Remember, your computer support people will never ask you for your password for any reason. If someone must ask you to change your password so that they can gain entry to your account, they do not have reason to be there!
  • Change your password often. This is important, particularly for passwords that protect highly sensitive data. And if you ever suspect your password has been compromised, change it immediately!