Guidelines to Safeguard Your Password

Guidelines for setting a Strong Password

1. Password minimum length
   • Set your passwords with at least 8 characters composed of random letters, digits and special characters (e.g. #, $, % and spaces) and;
2. Composition
   • A good rule of thumb is never use dictionary words and personal related information such as name, the NetID, birthday date, telephone number, HKID and user ID, etc.
3. Reuse of passwords
   • Use different sets of passwords in different systems for examples mix upper and lower case letters; mix letters and numbers; include non-alphanumeric characters and;
4. Password aging
   • You should change your password regularly such as in every 180 days.

Examples

1. Examples of strong passwords:
   • A combination of several words that aren’t themselves a word interspersed with special characters (e.g., !4scOrE&sDayNYeaRs_ag0)
   • A word with digits of a memorable date sprinkled inside it (e.g., vacation -> 0vac2a0t9io19ln99)
2. Examples of weak passwords:
   • Use of repeated numbers, characters or sequences such as 12345678, bbbbbbbb, or 33333333
   • Use of words in dictionary such as the word “password”
   • Use of personal related information HKID such as “Y6754815”
3. Examples of how to set up a strong password:
   • Use a memorable word – it can even be a dictionary word or name but move the hands up a row from the home row on the keyboard when typing it. This way, “GoFishing” would become “T9R8wy8ht”. This technique would be most usable by touch-typists.
   • Create a passphrase and use the first letter of each word. The phrase “Now is the time for all good persons …”would yield the password “NittfaGp”. Since our rules required still more complexity, I suggested putting a punctuation character in front – “!” for example, to make it “!Nittfagp”.
   • Transform words using by substituting characters for letters – @ or ^ for “a”, $ for “s”, 3 for “e”. The word “Geekspeak” might become “G33k$p3^k.”
   • Do the unexpected with characters and numbers and put them at the beginning or middle of a password instead of the end. LC3 can vary 1-3 appended characters as part of a hybrid attack. LC4 added the ability to work with prepended characters but the cracking process is much, much slower.

Fact

The purpose to set a strong password is to minimize the potential risk of unauthorized access to important data and use of computing resources. The table below can give you some idea of how long it takes to crack different passwords. From there, you can see that it takes 24.2 days to crack a 8-characters password in pure lower case letters and it takes 17 year to crack a 8-characters password in mixed characters. You can see the importance of setting a strong password:

Useful tools

1. Password Checker
2. Secure Password Generator
3. Secure Password Generator (Firefox Add-ons)