You are here

Choosing a good password


Having a strong password is critical in todays electronic age. Passwords help to protect and secure your data and online transactions. There is always a trade of between having a password that is very hard for some to guess and also a password that is easy enough to remember.
A number of general recommendations on choosing a good password include:
  • Length - Password should be at least eight characters long.
  • Complexity - Include at least three of the following types of characters in your password: lowercase letters, uppercase letters, numbers and special characters. It takes 125 times longer to crack an 8 character password containing lowercase letters, uppercase letters, numbers and special characters as it does to crack a password of all lowercase letters. 
  • Variation - Password should be changed at least every 90 days and the same password should not be used for multiple applications/sites.
A common tactic of generating a good password that is easy to remember but hard to crack involves the following process:
  1. Pick a phrase or sentence that is easy to remember: The quick brown fox jumps over the lazy dog
  2. Take the first letter from each word: tqbfjotld
  3. Change some letters to capitals: tqBfjoTld
  4. Add in numbers and special characters: tqBfj0T!d
  5. You now have a password that is greater than 8 characters, contains a range of letters, characters and numbers and is also easy to remember
Another method of protecting your passwords is to create a single secure master password and use a password safe application such as keepass to store all of your other passwords. You can then use a very long and random set of characters which are different for each website or application you use. You don't need to remember these password because they are stored inside keepass.  This also helps to protect your identity if a website that you use is compromised and someone steals your password. Typically if someone steals your username and password from one site the same credentials are then tries at a large range of other websites to see if the username/password combinations are the same.
Finally, this is a list of things not to do with your password:
  • do not use a word that is found in a dictionary, common slang or name unless it has been been used in the above process of making a complex password: newcastle, butterflies, benjamin
  • do not use a keyboard pattern or a repeated set of characters such as: qwerty, 123456, aaaaaaa
  • do not use things that are easy to guess: your birthday, mothers maiden name, phone number
  • do not simple add a number to the end of a work or replace a similar looking number into a word: merewether1, n3wcastl3
  • do not use your account as your password or any passwords listed on the top 500 worst passwords (1 in 9 users main password is on this list) 
  • never write your password down and stick it to your wall, screen, keyboard or share your password. Your local IT support provider should not require the use of your password and if they do remember to change your password after the work has been completed.
For further information please refer to the AusCERT recommendations