[img Top Bar]
Latest Articles
[img Top Bar]
Last reviewed: June 30 2008

What makes a good password?

People are always telling computer users to choose a "good password" when one is needed. But, just what makes a good password? And why is a good password so important?

Often times, a password is all that stands between your important information (bank account, e-mail, employee records) and a malicious cracker (sometimes referred to as a hacker). If your password is easy to guess, then it will be guessed easily by the bad guys.

Bad password choices

Computer users tend to choose passwords relating to a person or activity that they particularly like. While this makes the password easy to remember, it also makes it easy to guess. Example: After a few minutes in your office talking business, a co-worker notices you have three pictures of your dog. One on your desk, one as the background on your computer, and one hanging on the wall. A simple friendly question from your co-worker, "That's a beautiful dog, what's its name?" and you've given away your password! The same theory applies to favorite activities, spouse, kids, etc.

To understand why any word in a dictionary is bad, you must understand the ways in which crackers try to guess passwords. The three major methods of getting a password are social engineering, brute force password attack, and dictionary attack. An example of social engineering is given above—basically someone asks you for your password and you tell them! A brute force password attack involves trying every possible combination of letters, numbers, and symbols until the correct password is found. Dictionary attacks take a huge list of words and tries each word until the correct password is found.

Good password choices

There are many elements to choosing a good password. A good password should:

We've already said that dictionary words make bad passwords, but you can base a password on a dictionary word and still make it a good password. For example, "gravy" would be an easily guessed password, but "Mom'sgravY" would be much more difficult. It could be made even better with numbers and other symbols, "Mom's#1gravY". Sentences can also make good passwords, "Great men are created, not born!". Just make sure it's not a "favorite" quote which you say regularly or use as an e-mail signature!

How do you remember a good password?

A really good password might be hard to remember if it's not chosen carefully. You might be tempted to write your password down and put it in an easily accessible place. Don't do it! This is one of the easiest ways to compromise security. Passwords stuck on the monitor, hidden under keyboards, under the desk drawer, or in the desk drawer are easy to find and abuse. If you must write it down keep the paper in a safe place, like a safe or locked cabinet. Try not to write down your username with the password. Without knowing the username or which service a password belongs to, it is of limited usefulness. This is a good example of why you should not use the same password on multiple services.

To help you remember a new password:

How often should a password be changed?

Changing a password guarantees that if someone does figure out your password, they won't be able to use your account for very long. But, that extra protection comes at the price of an increased burden to remember passwords. A good password that you haven't given to anyone should be good for at least several months. Don't ever give your password out to other people. If you must for some reason, change the password as soon as possible.

Summary

Passwords are important and should be treated like a critical piece of information. Users should be trained to protect their passwords and not to give out any critical information to unknown people. If you would like more information on security training or have any questions about the information presented in this article, please, contact us.

Return to top