Skip navigation.
New Mexico State University

ICT Security Recommendations and Warnings

Using Good Passwords

Why Should I Care about Password Security?

Your username and password give you access to everything on your computer. Every time you connect, you must provide the magic word; you must prove you're who you say you are. Should someone else guess or steal your password, he or she can masquerade as you, which means the intruder would then have access to your files, your e-mail, your funds, your personal information, or whatever else may be stored on your system. This intruder will have the power to modify or destroy your files, to send electronic mail threats in your name, or to subscribe to unwanted services for which you'd have to pay. In short, an insecure password can easily wreak havoc in your life.

And you won't be the only person affected by a stolen password. Other users on networks along the Internet could potentially be affected as well. Once an intruder with the necessary knowledge, experience, and tools gains entry to a system, he or she may be able to monitor other machines and systems on the same network and capture information about local users logging on to those machines. And if these users then connect to other networks, the intruder has the potential to penetrate and monitor the remote systems to which the local users connect, thereby increasing the likelihood of a breach in the security of those systems as well.

How Are Passwords Stolen?

Security experts at Carnegie Mellon University estimate that more than a million passwords have already been stolen on the Internet. One has to ask why this happens so frequently. Part of the answer is that hackers have many tools, such as dictionary programs and sniffers, to assist them. A hacker will launch a dictionary attack by passing every word in a dictionary (which can contain foreign languages as well as the entire English language) to a login program in the hope that it will eventually match the correct password. A sniffer can read every keystroke sent out from your machine, including passwords.

But a large portion of the blame falls on the users themselves. They willingly share their passwords. More important, users are too predictable in their choice of passwords. Left to their own devices, users often choose a password that is too short or too easy to guess.

Passwords are about identity. We tend to reveal ourselves in our passwords. We often choose the name or birth date of a loved one; we use our address, telephone number, or Social Security number; we use the name of a favorite artist, actor, or author. Or we are wise enough to avoid any personal references but choose a word that is ridiculously short, a dictionary word, a name or word spelled backward, or an alphabet or keyboard sequence. Just because we think a foreign word is obscure doesn't mean that it isn't in a dictionary somewhere. The point is that all of these types of words are easily guessed, which makes the job of password cracking straightforward.

What Are the Guidelines for Choosing a Password?

To avoid problems, follow these basic guidelines when choosing your password:

* Use at least seven characters; the more characters, the better (as long as you can remember them). You can use up to 63 characters, so be creative.

* Make your password easy for you to remember but hard for someone else to guess. Picking letters from a phrase that's meaningful to you may be the source for a good password. In this way, your password is really a "pass phrase." ("Do you know the way to San Jose?" could be D!Y!KtwTSJ?)

* Intersperse punctuation marks or symbols such as #, $, %, etc. Do not use a blank space.

* Always use a mixture of upper- and lowercase characters.

* Never write down your password; someone else might see it.

* Select a unique password. Do not use a password that you are using for some other purpose, such as your PIN at the bank or your password to another system.

What Are Some Strategies for Choosing a Good Password?

Use lines from a childhood verse:
Verse Line: Yankee Doodle went to town
Password: YDwto#town

Expressions inspired by the name of a city:
City Expression: I love Paris in the springtime
Password: ILpinST

City Expression: Chicago is my kind of town
Password: CimYKot

Foods disliked during childhood:
Food: rice and raisin pudding
Password: ricNraiPudng

Food: boiled broccoli
Password: boi%Brocc

Transformation techniques:
Technique: Transliteration
Illustrative Expression: photographic
Password: foTOgrafik

Technique: Interweaving of characters in successive words
Illustrative Expression: iron horse
Password: ihrOrnSe

Technique: Interweaving of characters in successive words
Illustrative Expression: file drawer
Password: FdirLawer

Technique: Substitution of synonyms
Illustrative Expression: coffee break
Password: jaVa*rest

Technique: Substitution of antonyms
Illustrative Expression: stoplight
Password: starTdark

Note: Obviously, you shouldn't use any of the passwords used as examples in this brochure. Treat these examples as guidelines only.

How Can I Avoid a Bad Password?

Avoid passwords that would be easy for anyone to guess.

Don't use:

* Dictionary words (mackerel, dandelion, millionaire).

* Foreign words (octobre, gesundheit, sayonara).

* Simple transformations of words (tiny8, 7eleven, dude!).

* Names, doubled names, first name and last initial (mabell, kittykitty, marissab).

* Uppercase or lowercase words (MAGAZINE, licorice).

* An alphabet sequence (lmnop) or a keyboard sequence (ghjkl;).

* Very short words or just one character (dog, *, hi!, me, love).

* Words that have the vowels removed (sbtrctn, cntrlntllgnc).

* Phone numbers.

* Numbers substituted for letters, like a zero instead of the letter O or a number 1 in place of the letter l.

How Often Should I Change My Password?

It is time to change your password if:

* Your password doesn't meet the criteria set out in the rules and strategies listed above.

* You have had the same password for more than 6 months.

* You have told your password to anyone else.

* You have written your password down anywhere.

* You have visited another city or campus and logged on to a system there.

* You are officially notified that your password does not meet current standards.