Password Creation Guidelines

Password Creation Guidelines


Because we recognize that everyone has trouble creating a good password that is easy to remember but not easy to guess we provide you with the following tips.  

  • Avoid common phrases, lyrics, or quotations; these can be easy for hackers to guess. However, you can create an acronym from the letters of the words in a phrase or quotation that is memorable to you (e.g., "To be or not to be?" could become 2BRnot2B?).
  • While randomly selected words will make a stronger passphrase than words typically used together, using your random words in a grammatical English sentence will make the passphrase much easier to remember.
  • Interleave two words or a word and a number sequence that is meaningful to you, for example, your favorite fruit and a memorable year (e.g., "kiwi" and "1987" could be interleaved as k1i9w8i7, ki19wi87, or ki1987wi).
  • Deliberately misspell words, or substitute phonetic replacements throughout (e.g., "Mississippi" could become Mrs.Ippi).

Consider using a passphrase which uses multiple natural words or phrases to construct the secret to be used during authentication. Examples are shown below:

  • a password of pM[]w5Mj could be easier to remember and type as the following passphrase: packmyBoxwith5milkjugs
  • a password of myLigr8! could be easier to remember and type as the following passphrase: myLongwoodisgreat!   

Passphrases provide a good way to compose strong, lengthy passwords that are easier to remember, easier to type, and naturally complex. Existing brute force and dictionary attack techniques do not take passphrases into consideration, so passphrases are currently harder to crack than traditional passwords.

NOTE: Do not use any of the above examples as actual passwords/passphrases!

Developing your unique personal pattern is not difficult. Remember that it is important to change your password regularly. There is an old saying: a password is like a toothbrush, get the best quality, change it often and never ever let anyone else use it.

Approved by the Chief Information Officer, November 18, 2008.