Guide To Strong Passwords

Guidelines For Strong Passwords 

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing. 

1. Password length should be around 12 to 14 characters if permitted, and longer still if possible while remaining memorable 
2. Use randomly generated passwords where feasible 
3. Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates). 
4. Include numbers, and symbols in passwords if allowed by the system 
5. If the system recognizes case as significant, use capital and lower-case letters 
6. Avoid using the same password for multiple sites or purposes 
7. If you write your passwords down, keep the list in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer 

 Examples Of Weak Passwords 

See also: Password cracking 
As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers— a common approach) may cost a password cracking device a few more seconds– this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy. 

1. Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. All are typically very easy to discover. 
2. Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., can be automatically tried at very high speeds. Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time. 
3. Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc., can be easily tested automatically with little additional effort. 
4. Doubled words: crabcrab, stopstop, treetree, passpass, etc., can be easily tested automatically. 
5. Common sequences from a keyboard row: qwerty, 12345, asdfgh, fred, etc., can be easily tested automatically. 
6. Numeric sequences based on well known numbers such as 911 (9-1-1, 9/11), 314159... (pi), or 27182... (e), etc., can easily be tested automatically. 
7. Identifiers: jsmith123, 1/1/1970, 555–1234, "your username", etc., can easily be tested automatically. 
8. Anything personally related to an individual: license plate number, Social Security number, current or past telephone number, student ID, address, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person's details. 

There are many other ways a password can be weak, corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and not be readily derivable by any "clever" pattern, nor should passwords be mixed with information identifying the user.