Password Safety

Source: http://computing.wayne.edu/accessid/badpwd.php

I. Passwords should never be:

• Any word in any dictionary, in any language
  
• Any formal name or nickname, including spouse's, children's, and pet's
  
• Any mythological or fictional character or race
  
• Any name of a place (city, country, cross roads, forest, or place of natural beauty), real or fictional
  
• Fictional terms
  
• Titles of movies, books, compositions
  
• The name of any author, composer, musician, actor
  
• Any special number
  
• Acronyms
  
• Phrases
  
• Fables or legendary characters or places
  
• Combinations of letters or patterns on the keyboard
  
• Great license plates you've seen, one2nv, 3vom, ibuy4u, or neat word/letter combinations, aTdHvAaNnKcSe
  
• Religious figures, places, or events
  
• Anything you can imagine being collected into a list

Examples of bad passwords include: characters and races from Star Trek, the appendices from the Lord of the Rings, pi, e, and the golden ratio, zip codes, THX1138, names of asteroids, names of bacteria, names of viruses, names of algae, names of fungi, names of beers, transliterated words from the hindu, chinese, russian, yiddish, or any other alphabet, cartoon characters, and a few specifics: letmein, youreok, zorkmid, zorro, wonderbread, upchuck, unixsuck, qwerty, zaq1234, lmnop, klingon, justforthe, hosannah, hesdeadjim, beammeup.

If a password fits in a list, you can presume someone has made up that list.

II. Passwords should never be a simple algorithm applied against something in category I, such as:

• The "word" backwards
  
• Substituting numbers for vowels, r1ch2rd for richard
  
• Common substitutions for letters, 3 for e, mov3
  
• Appending or prefixing digits, apple639 or 123apple
  
• Appending or prefixing special characters, apple@ or $klingon

III. Passwords should not contain information that can be automatically gathered by knowing your user name:

• Your user name
  
• Your user index/number (for Unix the UID and GID)
  
• User name owner information (for Unix the gecos field) which commonly contains your name
  
• Information derivable from this information: your initials

IV. Passwords should not contain personal information about you that can be gathered if you are targeted:
This category is similar to the first category. However, wheareas category I is static, category III depends on your account information and is dynamic.

• Your social security number
  
• Your student ID number
  
• Your phone number, your mother's phone number, your mother's maiden name
  
• Your passport number
  
• Your street address, the address where you were born
  
• Your license plate number
  
• Serial number from your camera, computer, stereo

In summary, a good password needs to be something that cannot be derived in a semi-automatic manner. Categories I-III represent known information or easily derived information that can be exhaustively applied by a computer to break your password. Category IV represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem like a very remote possibility, if you are ever personally targeted, it is potentially much more damaging to you.

Two final tips on password selection. First, make sure you know how many characters the system allows for a password: a good 15 character password may become a terrible password if the system only uses the first 8 characters. [The WSU AccessID password must be at least six but not more than ten characters.] Second, check your password to make sure it doesn't duplicate a bad password: a (usually) good personal password generation algorithm can generate a bad password; the good and bad may be the result of orthogonal approaches intersecting with a bad password. For example, the potentially good password mxvhall would be bad if your name was Mary Xavier Virginia Hall.

So 123 isnt off limits?

Dude my smiley looks like its got some kind of mental difficulty, i think that agressive smiley mugged him up in the emoticon window when i was loading my page

I have found that if you want a password that is very hard to break, make it up from the first letters of words to a song you'll remember plus the date you started using that password like the song "Jingle Bells" ( for instance), would be "jbjbjatw1228". That way you can change the password anytime you want to something that can't be found in your personnel file or in the phone book.
Not a sermon, just a thought from the eldergeek.

Nice

Thats a good idea, might consider it .

A very Good Idea - I was always taught that your password should contain Capital and Small Letters, a Special character or 2, a number, be something that is very hard for someone ELSE to remember, but easy for you to remember. My friend in IT once told me that he used sentences that will silly that he would rember, just as the poster that suggested the Jinglebells idea I like that one

Brian

https://www.grc.com/passwords

They generate passwords on the fly there. I have also heard of algorithms involving obscure functions of web addresses, names, etc. in split-up orders, but haven't used any. For example, This is geekstogo.com, and my user name, so a decent password might be a fusion of g2g, lavagolemking, and maybe a few other things like a birth day (11/15), then fusing them all together in some fashion, like 1gl12g1gk5, and maybe mixing up the capitalization (1Gl12G1gK5) and sticking some other specific pieces of information in it. Perhaps some punctuation, or sequences of holding shift as you type, to add some special characters, and it will be fairly hard to predict your password on a list (I don't think 1Gl12G1gK5 appears in very many dictionaries). Of course, I'm not going to say the methods I actually use for creating my passwords because I don't want them guessed. I just heard of this one and thought it would be useful to mention here. If you need even better passwords, perhaps the above site is better.

Edit: formatting got really screwed up.


This post has been edited by lavagolemking: Apr 19 2008, 12:44 AM

I use a combination of letters and digits. All my passwords are different and don't have a specific pattern or anything. All are 7 or more in length. Also, there's a program called KeePass that is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk. So you only have to remember one single master password or insert the key-disk to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). You can find more about it here if you're interested.

-Sockdown-

Oh my god! I use the same password for everything and it's really not that hard. If someone finds out about it, I'm screwed. Guess I'll have to start changing my passwords, make them more secure. Thanks for posting this little guide.