Account‎ > ‎Settings‎ > ‎

Strong Password

Below excerpt from Wikipedia is a good reference for creating strong passwords to protect your account. 

Common guidelines

Guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing. Common guidelines include:[19][20][21][22]

  • A minimum password length of 12 to 14 characters if permitted
  • Generating passwords randomly where feasible
  • Avoiding passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates).
  • Including numbers, and symbols in passwords if allowed by the system
  • If the system recognizes case as significant, using capital and lower-case letters
  • Avoiding using the same password for multiple sites or purposes
  • Avoid using something that the public or workmates know you strongly like or dislike

Some guidelines advise against writing passwords down, while others, noting the large numbers of password protected systems users must access, encourage writing down passwords as long as the written password lists are kept in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer.[23]

It has been noted that dictionary words can be used to create a very strong password, if several are strung together. The cartoonist Randall Munroe has suggested that this method might be easier to remember than passwords based on the traditional approach.[24]

The possible character set for a password can be constrained by different web sites or by the range of keyboards on which the password must be entered.[25]

[edit]Examples of weak passwords

As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers— a common approach) may cost a password cracking device a few more seconds– this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy, allowing them to be tested automatically at high speeds:[7]

  • Default passwords (as supplied by the system vendor and meant to be changed at installation time): passworddefaultadminguest, etc. Lists of default passwords are widely available on the internet.
  • Dictionary words: chameleonRedSoxsandbagsbunnyhop!IntenseCrabtree, etc., including words in non-English dictionaries.
  • Words with numbers appended: password1deer2000john1234, etc., can be easily tested automatically with little lost time.
  • Words with simple obfuscation: p@ssw0rdl33th4x0rg0ldf1sh, etc., can be tested automatically with little additional effort. For example a domain administrator password compromised in the DigiNotar attack was reportedly Pr0d@dm1n.[26]
  • Doubled words: crabcrabstopstoptreetreepasspass, etc.
  • Common sequences from a keyboard row: qwerty12345asdfghfred, etc.
  • Numeric sequences based on well known numbers such as 911 (9-1-19/11), 314159... (pi), or 27182... (e), etc.
  • Identifiers: jsmith1231/1/1970555–1234, your username, etc.
  • Anything personally related to an individual: license plate number, Social Security number, current or past telephone number, student ID, address, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person's details.

There are many other ways a password can be weak,[27] corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and not be readily derivable by any "clever" pattern, nor should passwords be mixed with information identifying the user. On-line services often provide a restore password function that a hacker can figure out and by doing so bypass a password. Choosing hard to guess restore password questions can further secure the password.[28]