[From Computer Security Basics by Deborah Russell and G. T.
Gangemi Sr., O'Reilly & Associates (1991).]
Hints for Picking Passwords
Pick passwords that are hard to guess. Here are some suggestions:
The best passwords contain mixed uppercase and lowercase letters, as
well as at least one number and/or special character. The password
you pick doesn't need to be gibberish. In fact, if it is, you'll be
tempted to write it down, defeating the purpose of your careful
selection. Some suggestions are:
Pick passwords that aren't words (English or otherwise) or names
(especially your own, that of a fictional character such as Hamlet
or Gandolf, or that of a family member, a pet, or a car).
Pick a mix of alphabetic and numeric characters. Never use an all
numeric password (especially your phone number or social security
Pick long passwords. If your password is only a few letters long,
an attacker will find it easy to try all combinations. Most
systems insist that your password be at least 6-8 characters.
Some systems support passwords of up to 40 or more characters.
Pick different passwords for the different machines or network
nodes you access.
Be careful about including special characters in passwords. Some
special characters (e.g., # and @) have special
meanings to terminal emulation software. Other control
characters, like CONTROL-S, CONTROL-H,
CONTROL-/, and CONTROL-\, can also
cause confusion. Check with your system administrator.
Combine several short words with numbers or special characters;
for example, I;did3it.
Use an acronym you've built from a phrase you'll remember. For
example, the acronym for "When in the course of human events" is
Witcohe, but that one could be guessed. It's better to
pick a phrase that's not recognizable. For example, the acronym
for "Oh no, I forgot to do it" is Oniftdi.
Add a number or a special character for more security. For
example: Onif;tdi or On5iftdi.
Pick a nonsense word that's still pronounceable; for example
8Bektag or shmoaz12.
Hints for Protecting Passwords
Both system administrators and users share responsibility for
enforcing password security. Remember, password security is
everyone's responsibility. In addition to damaging your own files,
someone who uses your password to break into a system can also
compromise all of the files in your system or network.
From the USENET: "A password should be like a toothbrush. Use it
every day; change it regularly; and DON'T share it with
Don't ever let anyone use your password.
Don't write your password down -- particularly on your terminal,
computer, or anywhere around your desk. If you ever do write your
password down, don't identify it as a password and don't write the
phone number of the computer on the same piece of paper.
Don't type a password while anyone is watching.
Don't record your password online or send it anywhere via
electronic mail. In The Cuckoo's Egg, Cliff Stoll
reports how his intruder scanned electronic mail messages for
references to the word "password."
Don't make a bad situation worse. If you do share your
password -- deliberately or inadvertently -- change it immediately
(or ask your administrator to change it).
Don't keep the same password indefinitely. Even if your password
hasn't been compromised, change it on a regular basis.