Best Practices for Selecting Passwords, Passphrases and Challenge Responses
Introduction
Passwords are the most frequently used form of authentication for accessing Information Technology (IT) resources. Strong passwords are an essential aspect of computer security, significantly reducing the risk of unauthorized access to resources. A poorly chosen password may result in the compromise of University systems and data. This document provides best practices for the selection of passwords, passphrases and challenge responses.
What Constitutes a Strong Password?
In general, password strength increases with greater length and complexity. Complexity increases when a variety of character classes are used: lowercase and uppercase letters, numbers, and special characters (e.g. % * + _ : ? _). An ideal password is easy to remember but difficult for others to guess.
Mnemonics (memory or learning aids) can be very useful in selecting a strong password. For example, one method might take the first (or last) letter of each word in a particular phrase and combine them together, separated alternately by either a $ or a 9. So if the phrase is “I like basketball the best” the password would become “I$l9b$t9b”
Here is a list of pointers to use when choosing a password:
- Don't use passwords that are based on personal information that can be easily accessed or guessed.
- Don't use words that can be found in any dictionary of any language.
- Develop a mnemonic for remembering complex passwords.
- Use both lowercase and capital letters.
- Use a combination of letters, numbers, and special characters.
- Use passphrases when you can.
Passphrases
Longer passwords are more secure than shorter ones because there are more characters to guess, so consider using passphrases. Passphrases also allow you to use a memorable phrase rather than a cryptic, random sequence of characters. For example, "This passwd i$ 4 my email!" would be a good choice because it has many characters and includes lowercase and capital letters, numbers, and special characters. Avoid common phrases, famous quotations, and song lyrics.
Challenge Responses
Challenge questions help users access their accounts when they forget their password .These questions are in effect a backup for the password. Thus, the answers to challenge questions are in effect a password and should have the same protections. Like passwords, challenge responses should be easy for you to remember, but difficult for someone else, even someone you know, to guess. Possible methodologies include:
- Begin and/or end each response with a number, capitalize a letter, and use a special character. For example, the response to your mother’s maiden name of Smith would be 44SmitH! You can also insert a number and special character in the middle of the word. In this example, the answer to your mother’s maiden name of Smith would be Smi44!th.
- Provide answers that do not correspond to the question, thus making it difficult for an attacker to correctly guess. For example, use the name of a city as the response for mother’s maiden name.
- Use the question itself to create an easy-to-remember passphrase. By combining the main part of the question with one of your favorite catchwords, you can create a passphrase you can remember. If the question is asking for your favorite sports team, you can, for example, combine Dallas Cowboys from the question and combine it with a phrase from your favorite show, such as CSI. Your answer would be Dallas Cowboys CSI.
- Follow best practices for strong passwords when developing your responses, such as making them at least eight characters long and using numbers, upper and lower case letters, and special characters.
- As with passwords, do not share the responses to your Challenge Questions or your methodology for developing them with anyone.
Special Notes
Please do not use any of the specific examples listed above for your actual password, passphrase or challenge responses.