ECS UNIX and E-Mail Password Guidelines

In general, passwords should be both easy to remember, and hard to guess. In practice, these two characteristics tend to be somewhat conflicting. So we have these guidelines, to give you some ideas of what might be considered a good password.

Our guidelines are drawn from sources such as Practical UNIX & Internet Security by Simson Garfinkel and Gene Spafford (O'Reilly, 1996) and Essential System Administration by Aeleen Frish (O'Reilly, 1995).

Good passwords should

• Be at least 8 characters long
• Contain a mixture of upper- and lower-case letters
• Contain some digits and/or punctuation characters
• Be easy for you to remember
• Be hard for anyone else to guess

Good passwords should NOT be

• "password"
• your username
• your real name
• anyone else's name, including your husband/wife/boyfriend/girlfriend/best childhood friend/second cousin's third wife's brother-in-law
• your Social Security Number
• your license plate number
• your driver's license number
• your birthday
• anyone else's birthday, including your wife/husband/girlfriend/boyfriend/best friend/older brother/younger sister/pet fish
• any word in any dictionary in any language, including (perhaps especially) completely fictional ones like Elvish or Klingon
• any password that any book, movie, or web site (including this one) said was a good one
• any password that any book, movie, or web site (including this one) said was a bad one
• any of the above, spelled backward
• any of the above, with a single digit before or after

Good passwords may contain words, altered or combined in creative ways. Some examples (all of which you should now avoid, because anyone in the world can now see them):

• Red79cAr ("red car", possibly a '79)
• Cr38t!Ve ("creative")
• MAd$d0G& ("mad dog")

Good passwords may also be taken from a favorite phrase, saying, or quote:

• 1rtBtAaI ("One ring to bring them all and in...")
• tMiMo0gc ("The moon is made out of green cheese")
• IrtiHb1L ("I regret that I have but one life...")
• RWtdSfyH ("Remember what the dormouse said. Feed your head.")
• ^G!dtcN! ("Gilligan! Drop those coconuts!")
• Li^@tHCf ("Living it up at the Hotel California")

Finally, good passwords should be something you can remember easily and type quickly. If you have to write your phrase down to work out your password, or if someone can watch over your shoulder and see what you're typing, the purpose of having a password is defeated.