Best Practices for Creating A Strong and Secure Password

Strong Passwords…

• Are at least eight alphanumeric characters long
• Contain at least three of the following four categories
• Uppercase characters (e.g., A-Z)
• Lowercase characters (e.g., a-z)
• Digits (e.g., 0-9)
• Special characters ( e.g., !@#$%^&*()+|~-=\`{}[]:”;’?,./) (Note: Oracle allows only the special character underscore () in a password unless the password is enclosed in quotes.)
• Are kept private. Passwords should be memorized or, if written down, kept in a locked file cabinet or other secure location.
• Do not contain a common proper name, login ID, email address, initials, first, middle or last name

Weak Password Characteristics

• The password contains less than eight characters
• The password is a word found in a dictionary (English or foreign) or a word in any language, slang, dialect, jargon, etc.
• The password is the same as your username or login name
• The password is a common usage word such as names of family, pets, friends, computer terms, birthdays or other personal information, or number patterns like aaabbb, dddddd, qwerty, zyxwvuts, 123321, etc.
• Any of the above spelt backwards
• Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

A List of Don’ts

• Don’t reveal a password over the phone or in person to anyone. Not your boss. Not your family. Not your co-workers. If someone demands a password, refer them to this document.
• Don’t reveal a password in an email message
• Don’t talk about a password in front of others
• Don’t hint at the format of a password (e.g., “my family name”)
• Don’t reveal a password on questionnaires or security forms
• Avoid writing passwords down, but if you must, store them in a secure place (e.g., a locked file cabinet)
• Passwords should never be stored unencrypted on-line
• Do not use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger)
• Don’t use the default password, if one is provided. Change it immediately to a new, stronger password.
• Don’t reuse old passwords. NetID passwords cannot be reused within a 12-month period, and passwords cannot be changed to any of the previous three passwords.

Our Personal Favorites

Take your favourite line from a movie, song, or book and convert it to a passphrase. If you like the scene from A Few Good Men when Jack Nicholson is on the stand, take the line “You want the truth? You can’t handle the truth!” and convert it to “Ywtt?Ychtt!”.

It has uppercase and lowercase letters, as well as special characters. It is not a word appearing in any dictionary, yet it is simple for you to remember.

Or, use a Tool. The main reason that users choose passwords that are easy to crack is that they want to choose passwords that are easy to remember. It is obviously much easier to remember your dog’s name, or type characters in the order they appear on the keyboard, like “123456”, than it is to recall “a5$jgFD118@Kle45@”.

But, guess which one is more secure?

You can use a password management tool to store complex passwords. It has some impact on security since cracking the password to access the password management tool grants access to all the rest of the passwords, but it does enable you to use stronger passwords for various Web sites, accounts, and applications without having to remember them all.