Choosing "good" passwords

There have been many studies done on password (in)security that provide insights into what are "bad" passwords. Two such papers are:

"Foiling the Cracker": A Survey of, and improvements to, Password Security by Daniel V. Klein
Password Security: A Case History by Robert Morris and Ken Thompson

Knowing what a "bad" password is helps you choose a "good" one. According to the experts, a "good" password is one that (among other criteria):

Doesn't use your login name in any form (e.g., as-is, reversed, capitalized, doubled, etc.)
Doesn't use your first, middle, or last name in any form
Doesn't use your spouse's, significant other's, children's, parent's, etc. name
Doesn't use any information that can be easily obtained, such as information provided by the finger program, your Social Security number, license plate, make of car, driver's license, the street you live on, building name, etc.
Isn't formed from all numbers, all letters, all lower/upper case, or all the same character repeated
Isn't a common dictionary word (of any language, or specific to a discipline like Chemistry or Medicine)
Does mix upper/lower case randomly
Does include punctuation, numbers, and/or control characters or spaces
Is seven or more characters in length
Is easy enough to type quickly so someone cannot "snoop" over your shoulder and see what you type
Is formed by a method that is easy to learn and remember (which means people are more likely to use it), such as one of these methods:
- Choose a line (or lines) from a song or poem and form the password from the first letter of each word. For example, "Itsy bitsy, teeny weeny, yellow Polka Dot bikini" would become "IbtwyPDb"
- Alternate between one consonant and one/two vowels, producing a word that is pronounceable and thus easily remembered, e.g. "FobyLufa" or "BooLWadi"
- Take two non-related words and separate them with a punctuation character; for added security, mix in some upper-case characters, numbers, and perhaps reverse one of the words, e.g.,
  - "DOg.tenT" (mixed upper/lower case)
  - "t00l%p0nd" (zeros instead of "O")
  - "p33l*BOARd" (substitute numeric for alpha)
  - "tned-Pile" (reversed first word)

Back to the Unix System Security Checklist.

since 03/22/96

Dave Dittrich <dittrich@cac.washington.edu>

Last modified: Tue Sep 3 15:22:17 PDT 1996