Simple tips  and guidance for making easy-to-remember, strong passwords

Strong vs. Weak Passwords

Strong Passwords

A strong password is 15 or more characters long and has a mixture of upper and lower-case letters, numbers, and symbols. A strong password is also hard to guess, but easy to remember.

Strong Password Examples

  • a_Slice0fApplePie
  • !theCH3CKisINtheMALE!
  • an 3l3phant can B herd 2 h@ndle...
  • mm+m2p+b1&URn+1Iw!
  • a^2PLUSb^2doesn'tequalPI

Weak Passwords

Weak passwords are short and easy to guess. Weak passwords are often single dictionary words followed by an incremented number, are runs on a keyboard, or consist of personal information.

Weak Password Examples

  • Winter78 (or any word followed by a number)
  • qwer#
  • iloveyou
  • Mary'76
  • March 12, 2014 (or any dates)

How to Create a Strong Password

Strong passwords can be fun to create and easy to remember. They are long and complex, but can be created using non-sensical phrases and character substitution. For example:

This password is, "A slice of Apple Pie" Here, we do several things:

  1. We capitalize every word after the first word.
  2. We substitute a zero (0) for a capital O.
  3. We add a "_" as a special character.
  4. We do NOT use our name, dates or just one long word.

This password is, "The check is in the mail." Here, we do several things:

  1. We substitute certain letters with numbers, "3" looks like an "E".
  2. We do some word play, "male" and "mail".
  3. We add exclamation marks for characters at the and and the beginning.

This password is, "An elephant can be hard to handle." Here, we do several things:

  1. We substitute certain letters with numbers, "3" looks like an "E".
  2. We substitute whole words, "to" is "2" and "be" is simply "B".
  3. We do some word play, "hard" with "herd".
  4. We use spaces as a character. (computers interpret the spacebar as a symbol)

This password represents, "My mother told me to pick the best one and you are not the one that I want!" Here we do several things:

  1. We take two common phrases and mix them up...
    • Start with the old childhood rhyming game ("My mother told me...")
    • End with a lyric from a song ("...the one that I want!")
  2. We take the first letter of each word and make the initial code, "mmtmtptboayrntotiw". 
  3. We substitute some numbers for letters, "2" is "to", "1" is "one"...
  4. We substitute some simple words with letters, "you" is "U", "are" is "R"...
  5. We substitute letters for symbols, "t" looks like the "+"...

This last password is "A squared plus B squared doesn't equal pie". Here we start with a mathematical equation and end with something unexpected. We create a passphrase out of a non-sensical yet easy to remember sentence.

The Importance of Strong Passwords

Strong passwords are all about length and complexity. If a keyspace has only 26 possible characters (just lower-case letters) in it, and a password is 7 characters long, then all of the possible combinations of the password are 7^26. With yesterday's technology, passwords like this can be cracked in seconds.

By adding just one more character to its length, a password's strength doubles. By adding more possible combinations (upper-case, numbers, and symbols), a password's strength grows exponentially. The difference being that a password can go from taking mere seconds to hours, days, weeks, months and years to crack.

  • If the service you are using offers some form of "two-factor" or "two-step" authentication, sign-in or verification, use it. This can seriously deter hackers and prevent them from getting into your account even if they do crack your password.
  • Periodically change your passwords because even strong passwords can be hacked, given enough time and computing power.
  • When changing your password, don't merely increment the current password
  • Don't capitalize the first letter or end your password with a simple punctuation just to reach 15 characters as hackers are expecting to see certain patterns such as sentence structure when cracking passwords.
  • If you get an e-mail that asks you to verify your account by clicking a link and entering your username and password, it's probably a phishing attempt. Never give out your password to anyone.
  • If you sign up for an account and they send you a confirmation e-mail with your password written (even partially), it means they did not encrypt the password. Cancel your account and use a different service.

Ask for Help

If you are unable to find the information you need in the documentation available online, the ITS Service Desk is available to assist.