Choosing your password

It can be difficult to choose a good password: the password should be fairly long and shouldn’t be guessable, but at the same time it should be easy to remember.

Here are a few reminders of good password practices:

• Choose a good password that will be hard to crack.

• Never share your password; you may be held responsible for any email sent by people with whom you share.

• Don’t use the same password for all your accounts.

• Avoid using non-secure networks at places such as hotels, cafes, etc. to send private information.

• Change your password after using a non-secure network.

• Change your password with some frequency.

• Change your password after travelling abroad and using non-secure networks or machines.

•Never store your password in a program, even if the program or browser asks you to.

• Consider storing your passwords in departmental shared resources with IT Security.

• Never write down a password. If you do, be sure to shred it as soon as possible.

Selecting good passwords

• Use letters from a phrase or song lyric.

Think up a phrase. For example, “Marx’s Communist Manifesto has 8,196 words in it!” Once you’ve decided on the phrase, choose the first (or last, or the second, or whatever) letter from each word. “Marx*’s* Communist Manifesto has 8196 words in it*!*”

You’ll notice that in this example, we’ve decided to include all the punctuation. This is to improve the quality of the password.

So, your password would be M’sCMh8196wii! It is a nice, long password with a good mixture of character classes.

• Combine a few pronounceable nonsense words with punctuation.

For example nuit+Pog=tWi. Pronounceable nonsense words are easier to remember than random characters. In our example, we have combined the nonsense words in a way that is similar to an arithmetic formula, which makes it easier to remember. You may want to use other punctuation for similar reasons.

•Handling many passwords

In the modern Internet environment, people often find that they need to juggle multiple passwords for their email accounts, the websites they visit and different Internet-based services that they wish to use. While it is impractical to create a completely different password for every website or account, using the same password in multiple locations is very dangerous: if the password is stolen from any one of the places where it is used, it can be used elsewhere as well.

Below are a few ideas on various ways to handle the increasing number of passwords that seem to be required these days while not making the passwords easy to guess.

• Consider what the password is protecting when choosing a password.

• Some services may not require as secure a password if they do not contain any private information.

• Consider your password as multiple parts: a central core of the password and a prefix and/or suffix, which is specific to the service that is being protected.

• The passwords protecting your most sensitive information should always be different than other passwords.

Some groups may wish to securely store passwords with a third party to prevent the loss of passwords through any number of factors.*