Iowa State University

ITInformation Technology

Strong Password Guidelines

When you lock your house or apartment door as you leave, do you tape the key to the outside of the door? Of course you don't. But taping your password to your computer monitor is the same as making your key available to anyone who passes by. Sharing your password is just as risky; you don't know whom it may also get shared with.

Unfortunately, passwords are one of the weak areas in computer security, and yet we rely on passwords to protect our information and data. The bottom line: The more you value the information your password is protecting, the more important it is that the password be a strong barrier to someone else getting that information. It's somewhat like choosing a bike lock. The more you value your bike, the more effort you put into protecting it from being stolen.

So how do you ensure that your password is a strong barrier? A combination of approaches can help. A few methods are listed below.

Make Your Password Difficult to Guess

A simple password cracking program can quickly try thousands of words, so it's obvious that you shouldn't choose a password that can be found in a dictionary. You also should avoid a password with identifying characteristics associated with you, such as your name, your hobby, etc. For example, Simon Cowell would not want to use "AmericanIdol" as a password. Likewise, members of the Iowa State community should shy away from words like "Cyclone", "Ames", or other words associated with the university.

Complexity Adds Strength

Complex passwords are harder to guess and crack. One method is to use a mix of uppercase and lowercase letters along with numerals and symbols; the more mixed, the better. For example, "pa6ssWoR4d" is more complex than "Password4".

Another method for creating a complex password that you can remember is to use a passphrase, which can be a phrase or a sentence. You still want to avoid anything that could be guessed, such as "CyclonesPlayGreatBasketball", or associated with you.

A variation on passphrases is to use the initial letter of each word in a passphrase. For example, "IsTcJ0Tm" uses the initial letters of "I saw the cow jump over the moon", substituting a zero for the "o" and alternating letter cases. This method is useful for developing stronger passwords when you are limited to less than 15 characters.

Longer Passwords Versus Short Ones

As noted earlier, adding complexity to your password greatly increases its strength. Some systems limit you to an 8-character password but you needn't let that limit you in choosing a strong password. Use all 8 characters and make your password complex. If the system allows longer passwords, take advantage of that feature. Where possible, using a password of 15 characters or longer is recommended.

Use Different Passwords for Different Accounts

Using the same password for all of your accounts is like using a single key for your car, your house or apartment, your mailbox, and your bike lock. If someone has your password, they have access to all of your accounts. A bit of creativity on your part can prevent that.

A good start is to have different passwords for a personal account and a financial account. If you have multiple financial accounts, each should have its own unique password. System managers should use a different password for a privileged account than is used for a personal account. While you may not be concerned if someone else can access your online New York Times account, passwords for sensitive or confidential data (such as your bank account) should be very strong.

And, of course, all accounts and logins should have a password. A common oversight is not setting a password on a computer's administrative account. Without a strong password, that computer is at considerable risk of being hacked.

Change Passwords Periodically

Changing your password from time to time is a good idea. If a password was accidentally disclosed, changing it renders that password invalid. It's quite common for people who have access to financial or privileged systems to be required to change their password at regular intervals (e.g., every 90 days). Sometimes this is also the case for regular email accounts.