Up One Level

Passwords - Choosing


The object when choosing a password, is to make it as difficult as possible for a hacker (or even a business colleague), to guess or 'work out' your password. This leaves the hacker with no alternative but to a) give up (which is what we want!) or b) initiate a 'brute-force' search, trying every possible combination of letters, numbers, and other characters. A search of this sort, even processed on a computer capable of generating and testing thousands of passwords per second, could require many years to complete. So, in general, passwords should be safe; but only if you select them carefully.

Using only the standard English alphabet and numerals, a non-case-sensitive password of 6-characters offers over 2 million possible combinations. In case-sensitive password applications 'a' is not the same as 'A', which doubles the number of available characters. Thus, making that same 6 character password case-sensitive, and allowing the shifted version of the numerical keys increases the number of combinations to approaching 140 million . Each additional character increases the number of combinations exponentially, and so a 7-character, case-sensitive password would offer over a billion combinations. A human user has virtually no chance of ever identifying a 6-character password which has been randomly generated and, obviously, even less chance of cracking a password of 8 or more characters.

What Not to Use

  • Don't use your login name in any form e.g. 'as is', reversed, capitalized, doubled, etc.
  • Don't use your first or last name in any form.
  • Don't use your spouse or partner's name; or that of one of your children.
  • Don't use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, your home or street name etc.
  • Don't use a password of all digits, or all the same letter. This significantly decreases the search time for a hacker.
  • Don't use a word contained in the dictionary (English or foreign language), spelling lists, or other lists of words.
  • Don't ever use a password shorter than six characters.

What to Use

  • Use a password with mixed-case alphabetic characters.
  • Use a password with non alphabetic characters, e.g., digits or punctuation.
  • Use a password that you are able to commit to memory; so you don't have to write it down.
  • Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.

Be aware of Dictionary-Based Off-Line Searches

Hackers will often use a dictionary of common passwords to 'jump start' the cracking of your password. Instead of using passwords like "kwPpr*Kv8naiszf" or "2AW~#6k" many people still use simple, easy to remember passwords such as jackie1 or PeterS. So hackers don't bother with exhaustive searches for all combinations of random letters or characters, but use a rules-based password cracking program.

Therefore select a password that will be extremely hard to crack and change it periodically too!

*** The Information Security Glossary ***
Previous PageTop of this pageNext Page

Buy Now:


This Glossary forms part of the RUsecure Security Policy Suite... visit RUsecure Security Policy World
Use of the guidance contained within RUsecure™ is subject to the End User Licence Agreement
This site created with EasyHTMLHelp(tm) for MS Word
 Risk Associates: Resources for Security Risk Analysis, ISO 17799 / BS7799, Security Policies and Security Audit