Creating a strong password

A good password is easy to remember, but difficult to guess. It should be easy for you to remember without writing down, and difficult to guess, both for people who know you, and for anonymous password-crackers.

We all have so many different passwords to keep track of, nowadays—rather than taking the dangerous shortcuts of either using the same password for everything, or else writing passwords down and keeping them near your computer, you can look at the tips below and make it easier to create unique, memorable passwords for every different application. (Your SUID password and your encryption key should be different from each other and also from every other password you have.)

Passphrases

Because SUNetID passwords can now be up to 40 characters, ITS recommends using a passphrase—a sentence or sequence of words. It's easier to remember, and the extra length makes it even harder to crack. Plus, Stanford has SUID password rules that incentivize a longer, simpler passphrase, instead of a shorter, trickier one. 

NOTE: your passphrase should NOT be a well-known slogan, song lyric, saying, or other quotation, unless you disguise it with punctuation, misspellings, or capitalizations.

Pick a phrase that means enough to you that it will be easy to remember. I like to rollerblade in the summertime! is 40 characters, including spaces and punctuation. Passwords are case-sensitive, and though not all symbols are always accepted, you can use numbers and often everyday punctuation. If your passphrase is made up of all dictionary words, adding a variety of character classes is an extra layer of security: I LIKE to rollerblade in the SUMMERtime! Your passphrase could also be a string of unexpected words:

Fancy Chewbacca Tea Snacks?!?

165 dancing red snappers!

f00sba11.superher0.birthday

Above all, it should be something you will remember.

A complex password that cannot be broken is useless if you cannot remember it.

Passwords

If the application limits you to a small number of characters, try to base your password on a word, phrase or sentence that is easy for you to remember. Your password should NOT be just a dictionary word, OR your name, initials, birthday, anniversary, phone number, or any other personal information (or anyone else's).

An example; starting with the phrase To be or not to be, that is the question, you could make it into an acronym: tbontbtitq. You could go a step further and add numbers: 2bon2btitq. Another step would be to add punctuation and capital letters: 2Bon2B?titq! If you remember the starting phrase, this password will make sense to you, while being very hard for anyone else to guess.

• The more characters, the more secure (don't go for the minimum number)
• Passwords can contain characters from the following four classes:

1. English upper-case letters A, B, C, ... Z

2. English lower-case letters a, b, c, ... z

3. Westernized Arabic numerals 0, 1, 2, ... 9

4. Often, non-alphanumeric characters (, . ; :'"?!@#$%^&*()_-+=) such as punctuation symbols and spaces

Things to Remember

• DO NOT use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations.
• DO NOT use your first, middle or last name or anyone else's in any form. Don't use your initials or any nicknames for you or anyone else.
• DO NOT use other information easily obtained about you. This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, any hobbies and so on.
• DO NOT use a network login ID in any form (reversed, capitalized or doubled as a password).
• DO NOT use keyboard sequences, e.g., qwerty.
• DO NOT use a password of all numbers, or a password composed of alphabet characters. Mix numbers and letters.
• DO NOT use dates, no matter the combination of words and numbers: September, SEPT1999, etc.
• DO NOT use a sample password, no matter how good, that you’ve gotten from a book that discusses information and computer security.
• DO NOT use any of the above things spelled backwards, or in caps, or otherwise disguised.
• DO NOT write a password on sticky notes, desk blotters, calendars or store it online where it can be accessed by others.
• DO NOT use shared accounts. On a shared or family computer, create a separate login for each user.
• DO NOT reveal a password to anyone.
• DO use DIFFERENT PASSWORDS for different applications. Your SUNetID password should be unique, as should your encryption key. If a hacker can crack your password on an insecure site, and it's the same password you use for everything, all your accounts will be compromised.