Do not choose your password hastily. Choice of a poor password can result in your account being accessed by someone else and/or deactivated by the Computing Center staff. First, bad passwords categories. A. Passwords should never be:    - any word in any dictionary, in any language    - any formal name or nickname, including spouse's, children's, or pet's    - any mythological or fictional character or race    - any name of a place (city, county, crossroads, forest, or place of natural beauty),      real or fictional    - fictional terms    - titles of movies, books, compositions    - the name of any author, composer, musician, actor    - any special number    - acronyms    - phrases    - fables or legendary characters or places    - combinations of letters or patterns on the keyboard    - great license plates you have seen, one2nv, 3vom, ibuy4u    - neat word/letter combinations, aTdHvAaNnKcSe    - religious figures, places or events    - anything you can imagine being collected into a list B. Passwords should never be a simple algorithm applied against something in A, above:    - the "word" backwords    - substituting numbers for vowel, r1ch2rd for richard    - common substitutions for letters, 3 for e, mov3    - appending or prefixing digits, apple639 or 123 apple    - appending or prefixing special characters, apple@ or $klingon C. Passwords should not contain information that can be automatically gathered by knowing your user name:    - your user name    - your user index/number (for Unix the UID and GID)    - user name owner information (for Unix the gecos field) which commonly contains      your name    - information derivable from this information: your initials    - This category is really an addition to category A above, but is dynamic depending upon your account information; category A is static. D. Passwords should not contain personal information that can be gathered if you are targeted:    - your social security number    - your student ID number    - your phone number, your mother's phone number, your mother's maiden name    - your passport number    - your street address, the address where you were born    - your license plate number    - serial number from your camera, computer, stereo This may seem to be just about everything, right? A good password needs to be something that is not derivable in a semi-automatic manner. The above categories A-C represent known information, or easily derived information, that can be exhaustively applied by a computer to break your password. Category D represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem to be a very remote possibility, if you are ever personally targeted, it is potentially much more damaging to you. (It's personal, beware!) Two final items. Make sure you know how many characters the system allows for a password: a good 15 character password may become a terrible password if the system only uses the first 8 characters. Look at your password selection to ma ke sure it doesn't duplicate a bad password: a (usually) good personal password generation algorithm can generate a bad passw ord; the good and the bad may be the result of orthogonal approaches intersecting with a bad password. For example, a potenti ally good password, mxvhall, would be bad if your name was Mary Xavier Virginia Hall. Now, methods for generating good passwords. First, if the maximum password length is long enough, you can use two unrelated words together, perhaps separ ated by some punctuation or numbers. For example: parabolasextuplet, peddle$skew, embargo*.umber, apple:xerox, nova::orient, but not peanutbutter nor lionhunt. Note that if the maximum password length is eight characters, embargo*.umber is truncated to embargo* which will be cracked. Second, use the first letters of words in a memorable phrase. The phrase "Mary had a little lamb" produces th e password mhall. Obviously, memorable is good but traditional or classical is risky. Make up your own phrase. "I got a speed ing ticket on 6th avenue" generates igasto6a, "that last calculus exam was real painful" generates tlcewrp. Third, use grossly misspelled words. For example, fumigayt, lugrnch, phloot. Fourth, tighten up a good password into a better password: use both upper and lower case characters, add punctuation and/or numbers, depending on what the system allows. For example, igasto6a could become iGAsto6A, mhall could become mHa.*11$, phloot PhloOT, and MOUTHMOCCASINS MO76UTH81MOC33CASINS. Fifth, if you have a good memory, use eight or more, preferably the maximum allowed, random characters. After you have created a good password, how do you improve the odds of remembering it? Use your new password immediately: change your password and then logout and log back in. After ten minutes (about the length of short-term memory) use your new password again: logout and back in. (Changing your password Friday afternoon just before leaving for the weekend can make the new password very difficult to remember). If you absolutely need to write down your password, make sure that anyone seeing it or finding it cannot determine what it is: make sure that it is unrecognizable and cannot be associated with your account/user name. This is the same principle that applies to the pin number for your credit/bank card - and it can be even more costly. How often do you need to change your password? The effective half-life of your password depends on its exposure. Piano players can read your keystrokes if they can see your hands. Did you write down your password? (If you had to write it down, the fact it was a necessity does not lower the resultant risk). Was it accidentally displayed on the screen? Did you login from the hospitality suite at the conference? Do you have a nagging feeling that you should change it? Is it a good, strong password? It is better to have a good password for months than a bad password for days. It may seem that you don't have much if anything to lose if your password is guessed and your account is broken into; but that's not true: you can lose your good name, your reputation. Obscene, racist, threatening e-mail from your account, with your name attached, sent to your friends, family, peers, strangers and world-wide news groupd, can be as difficult to overcome and correct as a public scandal. Credit: David G. Beausango dgb@mines.edu Colorado School of Mines http://www.mines.edu/Academic/computer/docs/password.shtml