Complex Passwords – A Guide

Analogy - A Password Is like a key

Passwords have become such a part of our daily life that we treat them with indifference. As a result we end up sacrificing security for convenience. Often we use weak passwords that are easy for someone else to guess. A weak password is a simple word or phrase, often connected to the user in some readily discernable fashion (a child’s name, a favorite travel destination).  Conversely, passwords which are complex and impossible to guess may be useless for security. What good are complex passwords if you are unable to remember them?  Hard to remember passwords can lead to unwise security shortcuts.  Have you ever seen someone try to recall a password, and then lift up their keyboard or open their desk drawer to consult a sticky note secured there?  We store such password cheats on our desktops, in our wallets, tacked to our bulletin boards or taped to computer screens. 

Think of how you handle your house keys.  You don’t leave them lying around, you don’t make them accessible to strangers and you often install multiple locks to secure your front door.  Your password is like a key, in that it opens the door to vital University data. It would be much easier and much less suspicious for the intruder to let themselves in your house with a key than breaking in the front door. Similarly, it is much easier for an intruder to gain access to our network with a valid password than if he tried to bypass security on his own. 

Dictionary programs are just one tool used by hackers to crack passwords. Computing speeds allow a hacker to post every word in a dictionary (English, foreign language, slang) through a login program hoping that a word will eventually match a simple password. Once the password is discovered, the hacker can use it to gain access to secure information or to cover his or her tracks on the way to another target.  The problem extends beyond the personal loss of data.  In our networked age, if your password is stolen, you will not be the only one affected.  Therefore, we need to view passwords as digital keys to University resources with the understanding that there could be serious consequences if these keys can be easily guessed or stolen. This means you need to be wise in how you choose your passwords.

Password Complexity Rules

All passwords must meet the following complexity guidelines:

The password MUST:

  • Contain seven characters or more
  • Contain characters from each of the following four character classes:
    • Upper -Alphabetic (A-Z)
    • Lower - Alphabetic ( a-z )
    • Numeric (i.e. 0-9)
    • Punctuation and other characters (e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

The password MUST NOT:

  • Contain spaces
  • Be a derivative of the username
  • Be a word found in a dictionary (English or foreign)
  • Be a dictionary-word spelled backwards
  • Be a dictionary-word (forward or backwards) preceded and/or followed by any other single character (e.g., secret1, 1secret, secret?, secret!)

Mnemonics help us select a strong, complex password that we won’t forget.

Your password should be (a) easy for YOU to remember, (b) hard for someone who sees it to remember, and (c) hard for anyone to guess.

We can use a mnemonic device (a memory trick that helps us recall something) to create a complex password that is also easy to remember. For example, we can create a password from the first letters of an easily-remembered phrase, poem, or song lyric. The phrase “Jack and Jill went up the hill,” results in the password “ J&Jwuth”.  Note that this password is seven characters long and contains upper case, lower case and special characters.  For mnemonic passwords to be useful, the phrase must be easy to remember.

How to Choose a Good Password:

  • Choose a short, simple phrase, six to eight words, that will be easy for you to remember.
    I like to eat green peas.
  • If any of the words are homonyms (sound alike but have different meanings) for other letters or symbols, write them with those symbols (e.g., are =r, you = u, two = 2).
    I like 2 eat green peas.
  • Now, make an acronym. Drop all but the first letter of each word.
    Il2egp
  • Capitalize arbitrarily, but with restraint, try to keep the password easy to remember.
    iL2eGp
  • Add a punctuation mark or two to bring your password's length to seven or eight characters.
    iL2eGp!
  • Here are some popular character swaps to get you thinking:     A = 4 = @     B = % = 8 = 6     E = 3     G = 6     I = 1(one)  or =  !     K = or = x     O(oh) or  0(zero)     q = 9     S = $ or = 5     T = 7 

Example: for those about to rock, we salute you

  • Now, take the first letter from each word: f t a t r w s y
  • Change the word ‘For’ to the number 4: 4 t a t r w s y
  • Perhaps it’s easier for you to remember a ‘U’ instead of the ‘Y’ from the word ‘You’: 4tatrwsu
  • Now capitalize one of the words, preferably one with extra importance: 4tatRwsu

Resulting password: 4tatRwsu

Adjusting passwords for other accounts

How can you adjust the password to use it for other accounts? You can add a character to the beginning or end of the password that relates in some way to the site or service you need the password for (or if length is an issue, replace one of the characters). Using the example password created above, replace the ‘W’ from the word ‘we’ with the first letter of the name of the site or service. So the phrase in my head might end up sounding like this “For Those About to Rock, Amazon Salutes You” which would translate to 4tatRAsu (I’ll capitalize the letter since the names will usually be proper names, and it should make the password even stronger). Here are a few more examples:

  • CNN.com = 4tatRCsu For Those About to Rock, CNN Salutes You
  • The New York Times = 4tatRNsu For Those About to Rock, New York Times Salutes You (you’ll need to decide if you want to use ‘T’ for ‘The’ or ‘N’ for ‘New’)
  • Target = 4tatRTsu For Those About to Rock, Target Salutes You
  • AT&T = 4tatRAsu For Those About to Rock, AT&T Salutes You
  • Google = 4tatRGsu For Those About to Rock, Google Salutes You

Examples of Memorable Phrases and Passwords

 

Phrase Password Inspiration

Four score and seven years ago, our Fathers

4s&7yaoF

Quotation – Gettysburg Address

I love to ski at Seven Springs!

Ilts@7S!

Personal – Hobby

Ali Baba and the forty thieves

AB&t40t

Old movie

Yankee Doodle went to town
(replace “to” with number 2)

YDw2town

Song

I love Paris in the springtime replace L with the number 1

1LpinST

Expressions inspired by the name of a city

Come up with a phrase that means something to you, such as an old address

3TowerRoadBoston

no-one but my immediate family would recall

Please do not use these examples for your actual password!

Top