Tips and Guidelines for Keeping Strong Passwords

Things to avoid
  • Don't just add a single digit or symbol before or after a word. e.g. "apple1"
  • Don't double up a single word. e.g. "appleapple"
  • Don't simply reverse a word. e.g. "elppa"
  • Don't just remove the vowels. e.g. "ppl"
  • Key sequences that can easily be repeated. e.g. "qwerty","asdf" etc.
  • Don't just garble letters, e.g. converting e to 3, L or i to 1, o to 0. as in "z3r0-10v3"
Bad Passwords
  • Personal Information. Don't use passwords based on personal information such as: name, nickname, birthdate, wife's name, pet's name, friends name, home town, phone number, identity number, car registration number, address, organization/department name etc. This includes using just part of your name, or part of your birthdate.
  • Location based information. Don't use passwords based on things located near you. Passwords such as "computer", "monitor", "keyboard", "telephone", "printer", etc. are useless.
  • Common Passwords. Don't ever be tempted to use common passwords that are easy to remember but offer no security at all. e.g. "password", "letmein".
  • Account information. Never use a password based on your username, account name, computer name or email address.
  • Easy to remember. Choose a password that you can remember so that you don't need to keep looking it up, this reduces the chance of somebody discovering where you have written it down.
  • Easy to type quickly. Choose a password that you can type quickly, this reduces the chance of somebody discovering your password by looking over your shoulder.
  • Public Computer Caution. Never use a public computer to log into your account.
  • Select hint question intelligently. Exercise caution when using a ‘hint question/ answer’ for password recovery as such information can be found on your social website.
  • Clean viruses from computer. Keep your computer clean of viruses, as they can capture your information such as passwords, Credit card information, bank account information etc.
  • Do not share your passwords. Passwords should not be shared with anyone. In situations where someone requires access to another individual’s protected resources, delegation of permission options should be explored
  • Log out when done. Remember to logout of the systems and application when you are done with them.
Choosing a password
  • A strong can be chosen by using passphrase that is easy to remember.
  • A passphrase can be a favorite quote or a memorable event, e.g. Smile its sunnah ($miL3!tsSunN@h).
  • Make nonsensical words using the first letter from each word in a phrase (e.g. C$200wpG., represents "Collect $200 when passing Go.").
  • Choose two short words and concatenate them together with a punctuation or symbol character between the words. eg. "seat%tree"
Protecting your password
  • Never store your password on your computer except in an encrypted form. Note that the password cache that comes with windows (.pwl files) is NOT secure, so whenever windows prompts you to "Save password" don't.
  • Don't tell anyone your password, not even your system administrator
  • Never send your password via email or other unsecured channel
  • Yes, write your password down but don't leave the paper lying around, lock the paper away somewhere, preferably off-site and definitely under lock and key.
  • Be very careful when entering your password with somebody else in the same room.
Good Password Examples
Following are examples of good passwords, however no one should use these examples as they are already published.
  • S@tItWdOtW4Me - Saturday is the worst day of the week for me.
  • $miL3!tsSunN@h - Smile its Sunnah
  • M2swb@BH@6:30pm - My 2nd son was born at Boston Hospital at 6:30pm
How would a potential hacker get hold of your password anyway?
Some of the techniques that hackers can use to get hold of your password:
  • Steal it. That means looking over your shoulder when you type it, or finding the paper where you wrote it down. This is probably the most common way passwords are compromised, thus it's very important that if you do write your password down you keep the paper extremely safe. Also remember not to type in your password when somebody could be watching.
  • Guess it. It's amazing how many people use a password based on information that can easily be guessed. Some of the most used passwords are the names of their wives, husbands or children.
  • A brute force attack. This is where every possible combination of letters, numbers and symbols in an attempt to guess the password. While this is an extremely labour intensive task, but with modern fast processors and software tools this method is not to be underestimated.
  • A dictionary attack. A more intelligent method than the brute force attack described above is the dictionary attack. This is where the combinations tried are first chosen from words available in a dictionary. Software tools are readily available that can try every word in a dictionary or word list or both until your password is found. Dictionaries with hundreds of thousands of words, as well as specialist, technical and foreign language dictionaries are available, as are lists of thousands of words that are often used as passwords such as "qwerty", "abcdef" etc.
  • Phishing attack. Never provide your password over e-mail or based on an e-mail request. Hackers try to trick people into giving away their passwords and other personal information by sending fake e-mails that appear to come from common Web sites such as the University, eBay, PayPal, or a local bank