How to Pick a “Good” Password

We are currently in the process of migrating our HOWTO articles to a new CCIS Knowledgebase. The content of this page has been moved to the following KB article:

KB0011766: How to Pick a Password

Click here to expand the deprecated HOWTO page

Picking a good password is something that we take seriously here at CCIS. If your account gets compromised this could expose non-public information to someone who is not part of CCIS. That means that it isn’t just your data that is at risk but everyone’s.

A good password is:

  • Private: it is used and known by one person only.
  • Secret: it does not appear in clear text in any file or program or on a piece of paper stuck to the monitor.
  • Easily remembered: so there is no need to write it down and not guessable by any password cracking program in a reasonable time.
  • Has a high degree of entropy, this makes it difficult for computers to guess.

In order to reach the last criteria, there are a number of ways of doing so:

  • You can increase the character set
    • Use both upper and lower case letters
    • Use numbers
    • Include non-alphanumeric characters  (e.g. !@#$%^&*(){}[]|:;_+'"<>,.?/)
  • Or you can increase the length
    • This is sometimes referred to as the XKCD method after this comic: https://xkcd.com/936/
    • Passphrases are easier to remember, and harder to guess, but can also be harder to type.
  • Or, you can combine the two
    • This is often overkill.

[color-box]We prefer the XKCD method, but either is valid.[/color-box]

We do not currently enforce strength or entropy requirements for choosing passwords, but please keep in mind any of the following will greatly reduce your password strength:

  • Passwords that are made up of a single word or name in any language. If it is in a dictionary or a book then anyone trying to guess your password can find it.
  • Passwords based on simple letter or number swaps (e.g., zeros for o’s).
  • Words with a number added to the beginning or end.
  • Your login name in any form (as-is, reversed, capitalized, doubled, etc.).
  • Your partner’s or child’s name.
  • Any other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
  • A password of all digits, or all the same letter. This significantly decreases the search time for password cracking software.
  • Don’t use a password shorter than six characters.

Some tips, from our old system on how to pick a strong password within the character space entropy system:

  • Start with a phrase you can easily remember. If you are a fan of Shakespeare you might pick “Romeo, Romeo, wherefore art thou Romeo”.
  • Take the first letter of each word (R R w a t R), already you have upper and lower case letters.
  • Now replace some of the letters with something else like punctuation, say @ for a, from this you get (R R w @ t R)
  • You can go even further, since you know that the “w” is for “wherefore” you can add the number 4 after it and get (R R w 4 @ t R).
  • Maybe you remember that there was an extra bit of emphasis on the first “Romeo” in your favorite production. So you decide to add some extra punctuation to your password. And now you have (R ! R w 4 @ t R).
  • You end up with a password that looks like this R!Rw4@tR. It certainly isn’t a word in any dictionary and it’s pretty hard to guess. And now all you have to remember is “Romeo, Romeo, wherefore art thou Romeo” to remember your password.

[color-box]Quotes from Shakespeare might be a bad place to start from as they are so popular. But you get the idea.[/color-box]

Comments on this entry are closed.