Best Practices


Passwords control access to protected resources by requiring the user to type in a string of characters. This authenticates the user according to something only he or she knows.

Easy to guess passwords, such as a familiar name, hobby, or date, will allow malicious users (and even some viruses) to gain access. Complex passwords containing both uppercase and lowercase letters, numbers, and special characters ($, *, &, etc) should be used. An example is "?0scUC_btdel". A general rule is that it should contain at least 8 characters.

The downside to complex passwords is that they are generally hard to remember. The result is that people tend to write down complex passwords and they are no longer something known; they are now something you have. Anyone who has access to the written down password can gain access to the system. There needs to be a balance between creating a password complex enough that it probably will not be guessed and a password which can be memorized and recalled without writing it down. A good way of achieving this is to take the first letter of each word of a phrase, capitalize some of them, and add numbers and special characters. This is how the example given above, "?0scUC_btdel", was generated; it is from the Star Spangled Banner [ ? (0) (s)ay (c)an (U) (C) _ (b)y (t)he (d)awn's (e)arly (l)ight].

Even complex passwords may eventually be guessed given enough time (or a large enough number of guesses). It is therefore important to change your password on a regular basis such as every 60 days or even on a monthly basis. When you do change your password, the new one should be completely new - don't slightly modify the old one or re-use one you had several passwords ago.

By following these guidelines you can help protect the computer systems you work on and the data processed by them.