Password Code of Practice

The Importance of Passwords

The use of good, strong passwords by computer users is an indispensable tool in the maintenance of any confidential data for which they are responsible, and in the protection of their systems against attack and abuse. If your password is deliberately or accidentally disclosed, it becomes compromised and therefore weak. The use of a weak password may allow someone to assume your identity and use, amend or delete any of the records or files you are responsible for.

To avoid accidental disclosure, a password should be easy to remember so you don't have to write it down. When using it, you should be able to enter it rapidly to avoid the keystrokes being seen by onlookers. Better still, place yourself between their eyes and your keyboard or ask them to look away.

The password cracker programs that try to guess passwords and attack a computer system do not try all existing passwords. Rather, they try hundreds of millions of words derived from dictionaries and past "success" lists. Computers running cracker programs are fast enough to use combinations of two or more listed words and numbers, and still crack a password in hours. So in order to avoid becoming their victim, your password must avoid their potential search patterns.

A strong password is:

• at least eight characters long
• constructed of upper and lower case characters and numbers or punctuation characters
• not easily guessed by any person or program
• easy to remember
• not known by or shared with other people
• is secret and nowhere recorded in unencrypted or undisguised form
• not more than three months old

A weak password is:

• shorter than eight characters in length
• a word from an English, foreign language or technical dictionary
• a proper name or noun
• a phone number
• an identification number generated by any agency or system
• a string of the same character repeated
• a simple pattern of letters or other keys from the keyboard
• any of the above reversed or concatenated
• any of the above with digits before or after
• a birthday or anniversary date
• anything easily associated with you or your interests
• related to your login name or the system you use
• a password you have used before
• constructed of only alphabetic characters or only digits

Contingencies

If you must write down your password, perhaps as a contingency against forgetting it and locking yourself out of your own system:

• Do not identify it as a password
• Disguise it by making it part of a longer piece of text
• Make the recorded version different from the actual
• Do not include the application, system or account name
• Keep it in a secret place, hidden away from the view of anyone else

As a contingency against your being incapacitated and needing to pass on control of the system to another person, passwords should be stored in a sealed envelope in a fire safe.

Common sense suggestions for devising strong passwords, memorable and hard to guess:

• make up your own acronym or use the first letter of each word from a sentence or line in a song (e.g. "The chain has fallen off my bicycle again" could be "Tchf0mBa" - note the zero instead of a letter "O")
• use two short words or abbreviations separated by punctuation or a number (e.g. "Blue>pIg")
• construct mixed-case nonsense words that are pronounceable and include a number (e.g. "ug2bruSH", "2TfruitE")
• split a longer word with punctuation or a number (e.g. "eXp3nses")

Further reading:

• http://www.acs.calpoly.edu/policies/passwords.html

 .   .   . 
Last Update: 16/09/1999
Web Author: Trevor Oxborrow