Choosing and Requiring Good Passwords : TechWeb : Boston University

Introduction

A well-chosen password improves the security of your account, files, and computer. Given sufficient time and resources any password can be guessed. We can protect our resources by making our passwords as difficult to guess as possible, thereby increasing the amount of time required to guess them.

A password is only as good as it is unpredictable. One of the most common methods used to break into computer systems is to look at a list of the users and try to guess their passwords. It is a simple task to write a program which tries such obvious things as the user’s name (capitalized or not), common nicknames, the user’s phone number, and any word found in a standard dictionary.

One of the greatest strengths of a password comes from its variety. There are 47 keys on the standard US keyboard that have two possible output characters usable in a password, giving a total of 94 possible characters that can be easily chosen for use in your password. The more you make use of this variety, particularly the more obscure portions of it, the less likely it is that someone will guess your password quickly.

One of the greatest strengths of a password comes from its length. Probability theory tells us that each additional character in a password multiplies the amount of work a password guessing program must do to break your password. A three character password made up of only characters A through Z (in either upper or lower case) can be guessed in just over 140,000 tries. A password of 8 characters potentially using the full 94 character space would require over 722 quadrillion (1 quadrillion = 1,000 trillion) guesses.

A strong password combines length, variety and non-predictability.

Advice for Choosing a Strong Password

Create a password sixteen characters or more (longer is stronger!)
Do use words or phrases that mix upper and lower case, numbers, and punctuation.
Do not use your name in any form — first, middle, last, maiden, spelled backwards, nickname or initials.
Do not use any ID number or login name in any form, even spelled backwards!
Do not use any all-numeral passwords, e.g., your license-plate number, social-security number.
Do not use your phone or office number, address, birthday, or anniversary.
Do not use a single common name, name of a close relative, friend, or pet.
Do not use a single English or foreign word, however do use two or more English or foreign words to create a passphrase.
Don’t use a single word either preceded or followed by a digit, a punctuation mark, up arrow, or space.

Note: To check how old your BU password is, see if your BU login was associated with a breach, and the devices associated with your BU Duo account visit the Terrier Cybersecurity Checkup App.

The Passphrase Concept

A password is only good if you are the only person who knows it. Since complex passwords are hard to remember, people often resort to writing them down, or else choose less complex passwords. To make it easier, we suggest you use passphrases in place of passwords.

A passphrase might be created by taking a sentence and selecting the first letter from each word. For example, consider the following sentence: “A good password is long, complex, unpredictable, and known only to me”. We could take just the first letter from each of these words to come up with the passphrase “agpilcuakotm”. It’s unlikely anyone will guess that is your password, but as long as you remember the phrase, you’ll always be able to type the password.

Make substitutions of characters to increase the complexity. The passphrase “agpilcuakotm” is not very complex. To help that, we can do two things. One, we can add the commas from the phrase into the passphrase to get: “agpil,c,u,akotm”. We can introduce random capitilization as well: “aGPil,c,u,akotm”, and finally make substitutions like using the equal sign for “is” and the number 1 for “only” to get “aGP=l,c,u,ak1tm”. It is very unlikely that anyone will guess this password randomly. It also has sufficient length to be a kerberos password even though the phrase used to create it was easy to remember.

Another common technique is to include the transposition of letters in the passphrase.

Visit How to Choose a Strong Password for more information on tips and resources.