Choosing and Using Passwords

In general, a password must be:

• Easy to remember so that users are not tempted to write it down.
• Contain at least 6 characters of mixed alphanumerics and punctuation. There should be at least on change of case, one or more digits, or one or more punctuation marks.
• Changed periodically.
• Not divulged to anyone.

Weak passwords are:

• Words that might be found in or exist as a permuted form in a system files such as /etc/passwd.
• The hostname of the system (always a first guess).
• Any word that appears in a dictionary. This includes dictionaries other than English, and words found in works such as Shakespeare, Lewis Carroll, Roget's Thesaurus, and so on. This prohibition includes common words and phrases from sports, sayings, movies, or television shows.
• Permutations on any of the above. For example, a dictionary word with letters replaced with digits (f00t) or with digits added to the end.
• Any machine-generated password. Algorithms reduce the search space of password-guessing programs and so should not be used.

Strong reusable passwords can be:

• Based on letters from a favorite phrase or word, and then
• Concatenated with other, unrelated words, along with added digits and punctuation.

Passwords should be changed from time to time.