Creating Strong Passwords
What is a secure password?
A secure password should be virtually impossible for others to guess. It should not contain or be based on personal information, and it should not be written down or given out to anybody.
RIT Information Security recommends:
- Minimum of 16 characters (12 are required)
- Mixed upper and lower case letters
- At least one number and at least one symbol
- Do not include personal information like your name, birthday, or pet's name
- Use a password safe
- Create passphrases
Minimum requirements for passwords can be found at: https://www.rit.edu/security/content/password.
The passwords standards can be found here: https://www.rit.edu/security/sites/rit.edu.security/files/Password_2014.pdf
How do I choose a password that is easy to remember?
Password safes will generate a random password for you, but if you want one that you can remember more easily, here are three simple ways to make a secure, easy to remember password:
- Create a passphrase by choosing a short phrase. For example, "iced tea is great for summer" becomes ic3dT!sgr84$umm3R.
- Changing the capitalization of some of the letters
- Replacing some of the letters with numerical and symbolic substitutions (such as $ for s, or 3 for e)
- Purposefully misspelling or abbreviating some words
- Choose several shorter words and add some numbers in the center. Change capitalization and substitute symbols for letters like: bo()K451BR^Dbury
- Choose a quote or phrase that has special meaning for you and use only the first letter from each word. Vary the capitalization. Make sure to also include numbers and symbols, either as substitutions for letters or as a replacement for a full word. "You will always miss 100 percent of the shots that you never take" could become ywAM100%ot$tyN+. Avoid using well known quotations.
What should I avoid?
There are many ways people try to make their passwords easier to remember. Cracking programs look for the most common passwords first.
Passwords should NOT:
- Contain your RIT username.
- Be the same as your passwords for other accounts (RIT and non-RIT services).
- Be a single word, forward or backward, from an English or foreign dictionary.
- Contain more than three sequential characters on a keyboard (such as qwerty or 1234).
- Contain more than two consecutive repeating characters (bbbb2bbbb).
- Be all numbers, like a birthday or anniversary dates (042516).
- Use common number substitutions (Passw0rd).
- Be shared with anyone for any reason.
The easiest solution: Use a password safe
Password safes save your passwords securely. They can also generate random passwords for each of your accounts.
These password safes store all your passwords in a single account, which has a master password you need to remember. This allows you to use truly random combinations in all your other passwords, making them more secure. Here are some good password safes:
- Sticky Password
- iCloud Keychain
Change your passwords regularly
The RIT Password Standard requires passwords to be changed annually. In addition, passwords should be changed:
- Whenever a malicious program such as a virus is detected or a machine is compromised in some way.
- If there is a job change (job is completed, job is terminated, or a job transfer changes the need for access).
- From any default passwords.
- If they are shared with anyone other than the authorized user(s).