8 Do's and Don'ts of Good Passwords

Passwords. They're something that pretty much everyone has to deal with. We need them for credit card accounts, social media accounts, work, and any number of other things. Despite how prevalent they are, and despite how important they are, a lot of us still have trouble creating good passwords. If you follow the tips in this article, you'll be able to create good passwords that will help keep you safe.

image 1

Note: Password, as used in this article, refers to passwords and passphrases. In general, passphrases are longer, more complex, and easier to remember than passwords. Until more secure options are widely available, it’s a good idea to follow best practices when creating your passwords.

1. Don't make short passwords.

A lot of folks believe passwords need to look something like k5wT!1*a to be secure. So we make them as short as possible, hoping we'll be able to remember six or eight characters. There are two problems with this. A random jumble of characters will rarely be easy to remember, and there just aren't enough characters in a short password to make it difficult for a password cracking program to figure out. To be safe from password cracking programs, the minimum recommended password length is 14 characters. How long are your passwords?

2. Don't store your password where it can be easily found.

If you've written your passwords down and left them where you can easily get to them, chances are good someone else can easily get to them, too. That sticky note under your mousepad or keyboard, the file called "password," the list in your desk drawer — these (and many others) are easy to find. If your passwords are easy to find, whatever they're protecting is easy to compromise.

3. Don't keep a password for too long.

There is disagreement about how long to go before changing your password, and many sites have their own requirements. What all the experts can agree on, though, is that if anyone else knows your password and you don't want them to use it, change it.

4. Don't make a password that's easy to guess.

Some passwords are super easy to guess because they get used all the time (password, 123456, baseball). Others are easy to guess because the characters are related, follow patterns, or are single words you'd find in a dictionary (asdfgh, xoxoxoxo, initiative). Personal information is another category that's easy to guess, since so much of it is easy to find out (your sister's name, your dad's birthday, your phone number). A lot of folks use variations of the same password across multiple sites, but this can be easy to guess, too, especially if the person trying to figure it out has seen any of your other passwords (Xgoogle1!, Xfacebook1!; password01, password02, etc.). If your password is easy to guess, whatever it's protecting is easy to get to.

5. Do make passwords easy to remember.

A couple of years ago, my e-mail password was R2D2-NotrecommendedforDagobah. Even though it has 29 characters, it's easier to remember than the 8-character example in number 1 above (k5wT!1*a). It's also harder for a computer to crack. I used it without spaces, because my e-mail provider didn't allow for them, but, if you can use spaces, do; they count as special characters and some password cracking programs still have problems with them.

6. Do use a password manager.

A password manager is something — often an app — that stores your passwords for different sites. That means you don't have to remember all the passwords you use. You will have to remember the one for the password manager, so make sure that password is really secure and something you can remember. To find a good password manager, check out the resource in the EDUCAUSE library or do a web search for "best password manager" and check out the reviews from a few different sources.

7. Do use a different password for every site.

One of the reasons people don't use unique passwords for every site is because they have so many to remember. Using a password manager means you don't have to remember all of them, so there's no excuse for duplicating a password. And since you don't have to remember them, you don't even have to make them easy to remember. If you don't use a password manager, just remember the rest of the tips in this article.

8. Do play with your security question answers.

Phishing attempts can get pretty sophisticated. I've seen online quizzes written in such a way that they manage to gather the information that security questions often ask for (for example, "Enter your pet's name and the street you grew up on to learn your fantasy novel character's name"). But by playing with your answers to the questions, you won't have to worry that your information could be used to get into your accounts.

How do you do this? It's pretty easy. Decide what you want to answer them with, instead of what they really are. I have a friend who answers all "people" questions with movie characters — her childhood best friend becomes a character that resonated with her when she was young, her first kiss is with her first movie crush, her mother's maiden name is the last name of a character who she thinks is an awesome mom. She has other themes for other types of answers, and you can come up with themes that work for you. Then, when some unscrupulous person has your real personal details, they can't use them to break into your accounts.


These tips are all well and good, but how do you think of a password in the first place? Following are three suggestions with examples.

1. Use adjusted quotes, song lyrics, etc.

Is there a quote you tend to remember? A song lyric that stays with you? Don't use it just the way it is — that's easily guessed (they tend to be included in dictionaries of passwords that hackers use), but change it and make it something unique and long that you can remember.

For instance, the opening line of Slaughterhouse Five, "All this happened, more or less," can become: Allqth1sqhappenedq,mehrqoderqwen1ger. This uses the letter "q" as a space, puts "1" in place of "i" and translates the second half of the line to German. It's easy to remember or look up and easy to give yourself a password hint (e.g., "1. Slaughterhouse Five takes plqce there." The real Slaughterhouse Five was in Germany, which hints at which language you included. You've named the novel, in case you need to look up the line again. The typo is intentional — it's the letter you used in place of spaces. And you've included the numeral 1, which is what you used in place of "i." Again, if you can include spaces, do.

2. Use random words.

image 2

Image: xkcd—a webcomic of romance, sarcasm, math, and language (Creative Commons BY-NC 2.5)

Take random words and string them together. The idea has been around for a while, but Randall Munroe's xkcd explains it well. Not sure where to get the words? You could find a random word generator online or come up with some other system altogether.

For example, take the fifth word on page 55 of 5 different books, e.g., sorrowful Dork process That's final. Then come up with a way to make it memorable. For these words, I have an image of a character from Dork Tower issuing a command about processes: "Sorrowful dork process. That's final!" I'll remember that. My password hint would be the names of the books in the order used: William Faulkner, Early Prose and Poetry; Cursing in America; Traces of War; The Tao of Pooh; Beatrix Potter, Writing in Code. If I always use the same word and page number, I can use as many books as I want. Just make sure you never tell anyone your system. If you can't use spaces, you can string the words together or choose a symbol or number that you always use in place of a space.

3. Use random specifics.

This is when you use a specific pattern to create a seemingly random password. For instance, you could use the first letter of each line written on page 42 of whatever book is nearest you when you're creating a password. Since it's always page 42, all you need as a password hint is the name of the book. For a particular copy of The Picture of Dorian Gray, for instance, that becomes: eIwbr fp t Gm L TessgDtw pftsn . The spaces are new paragraphs, since that's what you see when you run your eye down the page. If you can't use spaces, you can use the first letter or leading punctuation of the paragraph, instead.

You're Ready!

Creating completely uncrackable passwords is impossible, but using these tips and suggestions will help ensure your password is harder to crack than the average person's. Sometimes that's all you need.

Tam Frager is the IT communications manager at Oregon State University. Past positions have included communications manager at a commercial data center and ISP, and lead technical writer and editor with the Forest Service. She's been online since the late 1980s, when she used 300–1200 baud modems to call BBSs. The shenanigans on those BBSs gave her a keen appreciation for data security, an appreciation she's brought to every employer since.

© 2015 Tam Frager. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.