GeodSoft logo   GeodSoft

Good and Bad Passwords How-To

Review of Widely Circulated Password DO's and DONT's
Standard Password Advice

There are many lists of password do's and dont's; see the footnote page for several examples. Though there is much similarity, no two lists make quite the same recommendations. The following list of dont's combines all the common recommendations plus one. It's been modified to some extent to account for password cracking tool capabilities. "Redundant with" indicates the rule is a specific example of an already stated general rule. These are listed in my estimation of their order of importance.

Do NOT:
  1. Use your account name or any data that appears in your record in the passwd file.
  2. Use any word or name that appears in any dictionary, reference or list regardless of case changes; especially do not use character strings that appear in password cracking tools' word lists or bad password lists.
  3. Phrases and slang with or without white space. Redundant with 2. See below.
  4. Use any mythological, legendary, religious or fictional character, object, race, place or event. Redundant with 2.
  5. Use acronyms. Redundant with 2.
  6. Use alphabetic, numeric or keyboard sequences; many such sequences are included in cracking tools "word" lists. Redundant with 2.
  7. Titles of books, movies, poems, essays, songs, CDs or musical compositions. Redundant with 2.
  8. Vary the character sequences obtained from any of the foregoing items by any of the following methods:
    1. Prepend or append symbols, punctuation marks and / or digits to a word.
    2. Use words with some or all the letters reversed.
    3. Use conjugations or plurals of words.
    4. Use words with the vowels deleted.
    5. Replace letters with like looking symbols or digits.
      • A -> 4
      • a -> 2
      • a -> @
      • C -> (
      • E -> [
      • E -> {
      • e -> 3
      • G -> @
      • h -> 4
      • I -> 1
      • I -> !
      • I -> |
      • l -> 1
      • l -> !
      • l -> |
      • O -> 0
      • S -> 5
      • S -> $
      • Z -> 5
    6. Replace digits with like looking letters or symbols
      • 0 -> O
      • 3 -> ]
      • 3 -> }
    7. Use only the first or the last character in uppercase. Redundant with 2.
    8. Use only vowels in uppercase. Redundant with 2.
    9. Use only consonants in uppercase. Redundant with 2.
  9. Use any personally related information.
  10. Use anything you can imagine being collected into a list.
  11. Use a publicly shown example good password.
  12. Use great vanity license plates. In the future, may be redundant with 2.
  13. Transliterate words from other languages.
  14. Repeat any character more than once in a row.
DO:
  • Use at least 8 characters.
  • Include a digit or punctuation.
  • Use upper and lower case.
  • Choose a phrase or combination of words to make the password easier to remember.
  • May be two words separated by a non-letter non-digit.
  • May have non printing characters.
  • Use different passwords on different machines.
  • Change password regularly and don't reuse passwords or make minor variations such a incrementing a digit.

The suggestions overlap as they come from different sources. Most users and some systems will have real difficulty with non printing characters.

Personally related information

Most people choose passwords that are easy to remember. One way to make passwords easy to remember is to pick passwords or parts of password that are directly related to oneself. Generally these are considered to be poor password choices. Below is a list of all the personally related information that I have seen in passwords or in lists of what not to use in passwords. It's listed in the order in which I think this information is most likely to be used in forming passwords:

  • One's names and initials.
  • One's account name.
  • Names of immediate family members.
  • Names, breeds or species of pets.
  • One's birthday.
  • Family member's birthdays.
  • One's vehicle make, model, year.
  • Hobbies, interests and related words.
  • One's job title.
  • Employer's name.
  • Job related words.
  • Friend's names.
  • Street numbers or names, city, county, state or zip code for home, work, family or friends.
  • Phone numbers for home, work, family or friends.
  • Social security numbers for self and immediate family.
  • License plate numbers.
  • Birthplace including street address.
  • University or college name.
  • College major.
  • High school name.
  • Student or employee ID numbers.
  • Serial numbers from consumer products.

"and permutations and combinations" should be mentally added to each of the foregoing. Names include first, middle, last and maiden names, where applicable.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

 
Home >
How-To >
Good Passwords >
password_advice.htm


What's New
How-To
Opinion
Book
                                       
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.