So what constitutes a good password these days? Obviously, the more characters the better, but with modern computing power, alphanumeric passwords are not enough. You must include symbols in your passwords, and you absolutely cannot use dictionary words (in any language.) This means your maiden name, your child's name, your anniversary or your birthday are terrible choices for passwords, even if you type them backwards.

This may make creating a good password seem almost impossible. Yet there are ways to create a good password without having to be Houdini. For example, use a familiar word but be creative with it. mypassword would be cracked in seconds. MyP@$$w0rd would take quite a bit longer (3 weeks or more), yet it's as easy to remember as mypassword.

Consider using a modified passphrase instead of  a password if the system accepts longer passwords. Example: Dead*Men-Tell.No-Tales, or if password length is limited, use just the first (upper case) and last (lower case) letters of each word with a zero inplace of "No": DdMnTl0Ts.

(Note that a combination of keystrokes side by side [ such as qwertyui ] is NOT a good choice. Modern cracking programs will try all those possible combinations automatically, as well as the entire dictionary [possibly in several languages] and more.Do not use any of the samples used above. Passwords like these are often tried in brute force attacks because of their popularity.)

Passwords

Users often consider passwords inconvenient and unnecessary. Required password changes are frequently met with groans and complaints. People will even put their passwords on sticky notes and tape them to their monitor, or write them down on a notepad and put them in the top drawer of their desk. The reason they do this is often because they don't consider anything they do on a computer important enough for anyone to want to steal it, they don't know of a secure way to share information with a colleague or employee or they just think the whole idea of security is overblown because they've never experienced a security breach. Frequently, the security of an individual's workstation doesn't seem nearly as important to them as the security of network equipment, and of course, that is "someone else's" responsibility.

Yet many users handle sensitive information every day: personnel records; salary information; performance records; proprietary university information; important research in their professional field; grant and donor information and so forth. This information becomes readily available to anyone with access to the sticky note or the top desk drawer.

Passwords are often thought of as hard to remember, so even if a user thinks it's important to use them, they give more thought to how to make a password easy to remember than to creating one that is difficult to crack. Yet creating a password that is difficult to crack is much easier than it appears. To understand why it's easy to create a good password, you have to understand what makes a password easy to crack.

Security Comics from Securitycartoon.com

A new comic with every refresh.

Reproduced with permission. Please visit www.SecurityCartoon.com for more material.

There are several factors that contribute to the difficulty of cracking a password. The first and most important factor in password security is KEEP IT A SECRET! DO NOT EVER!! share your password with ANYONE!! Do not share it with your students. Do not give it to your administrative assistants. Don't give it to your friends or family, and do not leave it laying around on sticky notes or in desk drawers where others might find it! This one principle alone will improve security dramatically!

The second most important factor in password security is the length of the password. The longer a password is, the more difficult it becomes to crack. It is evident from the table below that password length exponentially increases the difficulty of cracking a password. This is why we prohibit passwords less than six characters in length.

Another important factor in password security is the character set used to create the password. A password made up entirely of lowercase letters and numbers has only 36 choices for each password character. Such passwords are easy to crack through brute force attacks — trying every single possible password until you find the right one. You should never use a password that is only alphanumeric. It is more than ten times harder to crack a password that uses symbols in addition to letters and numbers.

Finally, the age of the password is important. It is not possible to create a password that cannot be cracked! Given enough time and enough computing power, every password will be cracked sooner or later. This is why we require periodic password changes and do not allow you to reuse recent passwords.

To get an idea how important password characteristics are, consider the table below. The first column lists the number of characters used in a password. The second column lists the number of characters available for use in the password (all alpha = 26 (or 52 if the particular system allows case sensitivity), alpha + numeric = 36 (or 62 with case sensitivity), entire keyboard - 69 (95 with case sensitivity). The third column shows the number of possible passwords that can be created with a particular combination of number of characters and available character set.

As you can readily see, the number of possible combinations of passwords increases as an exponent of the number of characters used and as a factor of the number of characters available for use. So, for example, using a two character password with a 26 character set (only the lower case alphabet) yields 26² possible passwords, whereas increasing the character set to 36 (the alphabet plus the numbers) only yields an additional 620 possible passwords (not quite 26² x 2.) However, as the number of characters used increases, the number of characters available for use has an increasingly larger impact on the number of possible passwords. (E.g. 26⁶ = 308,915,776 while 36⁶ = 2,176,782,336 - approximately 26² x 7 and 36⁸ = 26⁸ x 13.5 while 69⁸ = 26⁸ x 2460.)

While these numbers may seem impressive, a modern computer, using a well written password cracking program, can try every combination of an 8 character, alphanumeric password in less than 6 hours! If you're using a password that only uses the alphabet, and worse yet uses a word found in any dictionary (English or any other language), your password would be cracked within a few minutes! Adding a single number or a symbol (such as $) to a dictionary word increases the time spent cracking the password by only a few minutes more.