Information Resources and Technology Procedure

Section Policy Name Policy Number
Access Control Selecting Secure Password 6.01.03

Procedure Purpose

This procedure documents how to select a secure password.

Policy Supported

6.01 Password Policy

Procedure Description

There is a program available on the Internet which can test 350,000 passwords per second using a 3-GHz Pentium 4. Even at this rate, it would take 600 years to try all 6.6 quadrillion possible 8-character passwords which can be made from the 95 characters available on standard US computer keyboards.
But most people don’t choose passwords like “j%M\x3}&”. If you use only the 26 letters to make 8-character passwords, you are limited to 208,827,064,576 possible combinations.
This may seem like a large number, but your enemy with the 3-GHz Pentium can try that many combinations in less than a week. Since most passwords aren’t actually random combinations of letters, but are instead made up of names, words in the dictionary, dates, phone numbers, license plate numbers, etc., it’s easy to write programs which can radically reduce the number of guesses required. It’s even easier to just download one of the many such programs other people have already written.
Therefore, it’s very important for you to choose passwords which are difficult to guess.

How to Create More Secure Passwords

Your password should not consist solely of a word in the dictionary (school, campaign) or the name of a person or place (mary, texas). You may base your password on a word or a name, but you should add some numbers and/or punctuation. Do not just put one extra character at the beginning or the end (4mary, mary6, texas!). Avoid obvious replacements: s with $ (texa$); o with 0 (sch00l); i or l with 1 (campa1gn); e with 3; a with 2 or 4; or h with 4.

Other common tactics password-guessing programs try are reversing words (yram), duplicating (marymary) or reflecting (maryyram) short words, trying all the above while playing games with upper or lower case (MARY, Yram, yraM, MaryyraM, etc.), making words plural, past tense, etc., and removing the vowels. Including any form of your own login name or real name in the password is also not a good idea. Combinations of words are easier to guess than random words (marysmith vs marytexas).

It is not that hard to pick a password that is easy to remember but difficult to guess. Piecing together parts of words is even better than common words (vactime, for vacation time). Also multiple-digit numbers (mary358, but not mary123). Another good way to make a hard-to-guess password is to make up a sentence and then use the first letter of each word adding punctuation of random numbers(i.e. type iittpanp?7 while thinking "Is it time to pick a new password?"). 
The longer a password is the harder it is to guess. For this reason the minimum length of a Bradley University password is 8 digits two of which should be numbers or special characters. An 80-character string of random digits will be almost impossible to guess. It will also almost impossible to remember! The following string is hard to guess and can be remembered – Ilike2use@Ccurepasswrdbeecausenoonecanreadmyemailordropaclassonme.

Procedure Scope

This policy applies to all Bradley University computer and network users.

Date Approved Revision 1 Date Revision 2 Date Revision 3 Date Revision 4 Date Revision 5 Date