How to Choose a Good Password

Student Information Processing Board

 	 	*** How to Choose a Good Password ***
			(and why you should)

Do not use:
o Names:
 	o of yourself, including nicknames;
 	o of your spouse or significant other, of your parents,
 	 	children, siblings, pets, or other family members;
 	o of fictional characters, especially ones from fantasy or sci-fi
 	 	stories like the _Lord_of_the_Rings_ or _Star_Trek_;
 	o of any place or proper noun;
 	o of computers or computer systems;
 	o any combination of any of the above.
o Numbers, including:
 	o your phone number;
 	o your social security number;
 	o anyone's birthday;
 	o your driver's licence number or licence plate;
 	o your room number or address;
 	o any common number like 3.1415926 or 1.618034;
 	o any series such as 1248163264;
 	o any combination of any of the above.
o Any username in any form, including:
 	o capitalized (Joeuser);
 	o doubled (joeuserJoeuser);
 	o reversed (resueoJ);
 	o reflected (joeuserResueoj);
 	o with numbers or symbols appended (Joeuser!).
o Any word in any dictionary in any language in any form.
o Any word you think isn't in a dictionary, including:
 	o any slang word or obscenity;
 	o any technical term or jargon (BartleMUD, microfortnight, Oobleck).
o Any common phrase:
 	o "Go ahead, make my day."
 	o "Brother, can you spare a dime?"
 	o "1 fish, 2 fish, red fish, blue fish."
o Simple patterns, including:
 	o passwords of all the same letter;
 	o simple keyboard patterns (querty, asdfjkl);
 	o anything that someone might easily recognize
 	 	if they see you typing it.
o Any information about you that is easily obtainable:
 	o favorite color;
 	o favorite rock group.
o Any object that is in your field of vision at your workstation.
o Any password that you have used in the past.

There are programs (and they are easy to write) which will
crack passwords that are based on the above.

o Change your password every three to six months.  Changing
 	once every term should be considered an absolute
 	minimum frequency.
o Use both upper and lower case letters.
o Use numbers and special symbols (!@#$) with letters.
o Create simple mnemonics (memory aids) or compounds that
 	are easily remembered, yet hard to decipher:
 	o "3laR2s2uaPA$$WDS!" for "Three-letter acronyms are
 	 	too short to use as passwords!"
 	o "IwadaSn,atCwt2bmP,btc't." for "It was a dark and
 	 	stormy night, and the crackers were trying
 	 	to break my password, but they couldn't."
 	o "HmPwaCciaCccP?" for "How many passwords would a
 	 	cracker crack if a cracker could crack passwords?"
o Use two or more words together (Yet_Another_Example).
o Use misspelled words (WhutdooUmeenIkan'tSpel?).
o Use a minimum of eight characters.  You may use up to
 	255 characters on Athena, and generally the longer
 	the password, the more secure it is.

* Finally, NEVER write your password down anywhere, nor    *
* share your password with anyone, including your best     *
* friend, your academic advisor, or an on-line consultant! *

"Why go through all the trouble?"

Passwords are the primary defense and front-line security for
your personal data.  If someone obtains your password, then
they have complete access to your account and all its data,
and to all the privileges and abilities you have.  If you
give your password to anyone, you are giving them significant
power while keeping all the responsibility for their wielding
it.  There are always better and safer ways of doing anything
legitimate than giving away your password.

The Athena Rules of Use clearly state:
8.  Do not let anyone know your Athena password(s).

Giving someone else your password -- including trusted friends, or
even IS/Athena staff members -- is like giving them a signed blank
check, or your charge card.  You should never do this, even to "lend"
your account to them temporarily.  This is especially important now
that you can view certain private information online (e.g., academic
records through the Student Information Services program).

Your Athena username identifies you to the Athena user community --
anyone who has your Athena password can use your account and whatever
they may do that affects the system will be traced back to your
username; if your username is used in an abusive manner, you can be
held responsible.

Furthermore, there is never any reason to tell anyone your password:
every MIT student and faculty member who wants an account of their own
can have one; and if your goal is permitting other users to read or
write some of your files, there are always ways of doing this without
giving away your password.  (For example, see the document Managing
Your Athena Account.)

"What if I forget my password?"
Don't worry.  Just go over to the Athena Accounts Office
(11-124h, right behind the Fishbowl off the Infinite Corridor)
with your picture MIT ID, and they will gladly change it for you.

Disclaimer - Main Menu - Search - Paths - All sources