Strong Password Guidelines


Passwords are one of the weak areas in computer security. A combination of the following methods can help increase password security.

Make Your Password Difficult to Guess

A simple password cracking program can quickly try thousands of words, so it's obvious that you shouldn't choose a password that can be found in a dictionary. You also should avoid a password with identifying characteristics associated with you, such as your name, your hobby, etc. For example, Simon Cowell would not want to use "AmericanIdol" as a password. Likewise, members of the Iowa State community should shy away from words like "Cyclone", "Ames", or other words associated with the university.

Complexity Adds Strength

Complex passwords are harder to guess and crack. One method is to use a mix of uppercase and lowercase letters along with numerals and symbols; the more mixed, the better. For example, "pa6ssWoR4d" is more complex than "Password4".

Another method for creating a complex password that you can remember is to use a passphrase, which can be a phrase or a sentence. You still want to avoid anything that could be guessed, such as "CyclonesPlayGreatBasketball", or associated with you.

A variation on passphrases is to use the initial letter of each word in a passphrase. For example, "IsTcJ0Tm" uses the initial letters of "I saw the cow jump over the moon", substituting a zero for the "o" and alternating letter cases. This method is useful for developing stronger passwords when you are limited to less than 15 characters.

Longer Passwords Versus Short Ones

As noted earlier, adding complexity to your password greatly increases its strength. Some systems limit you to an 8-character password but you needn't let that limit you in choosing a strong password. Use all 8 characters and make your password complex. If the system allows longer passwords, take advantage of that feature. Where possible, using a password of 15 characters or longer is recommended.

Use Different Passwords for Different Accounts

Using the same password for all of your accounts is like using a single key for your car, your house or apartment, your mailbox, and your bike lock. If someone has your password, they have access to all of your accounts. A bit of creativity on your part can prevent that.

A good start is to have different passwords for a personal account and a financial account. If you have multiple financial accounts, each should have its own unique password. System managers should use a different password for a privileged account than is used for a personal account. While you may not be concerned if someone else can access your online New York Times account, passwords for sensitive or confidential data (such as your bank account) should be very strong.

And, of course, all accounts and logins should have a password. A common oversight is not setting a password on a computer's administrative account. Without a strong password, that computer is at considerable risk of being hacked.

Change Passwords Periodically

Changing your password from time to time is a good idea. If a password was accidentally disclosed, changing it renders that password invalid. It's quite common for people who have access to financial or privileged systems to be required to change their password at regular intervals (e.g., every 90 days). Sometimes this is also the case for regular e-mail accounts.