Ten Password Tips that Never Go Out of Style

Wednesday, August 10, 2011

Allan Pratt, MBA


I know what you’re thinking: not another post about passwords.

But the truth is, no matter how many times those of us who live in the infosec arena talk, cajole, and plead with users to create complex passwords, they don’t follow directions, but instead, they come crying to us after something bad happens.

The results are often dismal and cover the spectrum from security breaches to complete data loss. Since the #1 most commonly used password is “12345678” (although Microsoft no longer allows it for hotmail), and “password” is the #4 most commonly used password, we can never discuss the importance of passwords too often.

So, since passwords are the core of an overall security plan, here are my favorite password-related tips.


Make sure your passwords are complex. Use lower case and upper case letters, numbers, spaces, and symbols. Make sure the password length is longer than eight characters – Microsoft recommends at least 14 characters.

Don’t use common words from the dictionary or real names. Don’t spell your name backwards, use words with common spelling errors, or repeated sequences of the same numbers or letters. Create a phrase or sentence.

If you are curious how strong your password is, check it out at http://howsecureismypassword.net or use the Microsoft Password Checker (https://www.microsoft.com/security/pc-security/password-checker.aspx?WT.mc_id=Site_Link).

You can also learn how your password stacks up with the Password Strength Checker (http://www.passwordmeter.com). This site evaluates the strength of your upper and lower case letters, numbers, symbols, etc.


Create a different password for each website you use or wherever you access your data.

Don’t use the same password for Facebook, Twitter, Google+, YouTube, Flickr, etc., because if someone gains access to one account, the hacker could then gain access to all of your social networking sites – contact information, photos, family member names, etc.

Also, if you use passwords to access online banking or other confidential information, create unique passwords to access these sites.


If you don’t want to remember your passwords because they are too long and complex (hopefully), or if you would like an online site to generate passwords for you, check out LastPass (http://lastpass.com/index.php).

With LastPass, you will only need to remember one master password to log onto the site. LastPass automatically saves your log-ins and passwords for all sites that you visit. There is a free version as well as a premium version – and the download is available for Windows, Mac, and Linux.

While there was news of a security breach on LastPass earlier this year, LastPass remains the leader in the web password manager space.


If you store important documents on your home computer with bank account information, tax information, social security numbers, make sure to add a password to them. If your computer ever gets stolen, the passwords will add another layer of security to your information.


If you are asked security questions as an additional component of password creation, don’t use easy answers. For example, don’t use your birthday, spouse’s first name, mother’s maiden name, your car license plate, or city where you live.

For many hackers and even those who know the right websites to search, these pieces of data can be easy to find.


Whenever you sign up on a new site or get assigned a new site to access, there is often a default password.

Often, we are so busy that we forget to change the default password – not a good idea. Before you do anything on the site, go first to the settings area and create a new password.


Since most companies require that users change their passwords every 90 days, changing your personal passwords several times a year is a good idea.


Always be sure to log off of the site you are accessing. While you may eventually turn off your computer, this immediately ends your session on the site.

Also be sure to visit your Internet settings area and delete cookies, history, and cache.


Don’t give your IT department a heart attack and write your passwords on a Post-It note attached to your monitor. While this sounds obvious, people think no one will notice or that the note will just be placed on the screen for a few moments.

If you do this, you are handing your data to a thief on a silver platter – don’t do it.


Does your company have a password policy? You have probably been asked to read and sign copies of harassment policies, privacy policies, and social media policies.

But due to the importance of passwords, this may be a way to make friends with your IT department. Suggest the creation of a password policy – and feel free to share my favorite tips.

What's your favorite password tip?

Possibly Related Articles:
Network Access Control
Information Security
Passwords Authentication Security Awareness Access Control Infosec LastPass
Post Rating I Like this!
Ron Trunk Sorry Allan, but I disagree with most of this advice.

Password tips #1 and #2 recommend 14 character random passwords for each site you visit. That’s well meaning, but impossible to put into practice. How many 14 character random passwords can you memorize? If you have a unique one for every site you visit, that is at least a dozen or so random passwords. That’s much more than anyone can be expected to memorize. I bet you can’t do it.

Oh, and tip #3 suggests that you use an online password vault, secured with…a password. So we’re back to one password that unlocks everything.

Tip #7 suggests you change your passwords several times a year. Now that’s 4 dozen random character strings you have to memorize. Maybe I’m approaching senility, but that’s more than I can reliably memorize. I suspect I’m not alone.

Let me suggest an alternative: I use a just a few passwords. User accounts on most sites have little or no value, so I use one simple password for them. If someone guesses it, it’s no loss. For my bank account, etc., I use a different, unrelated, and easy to remember password. I’m not worried if my bank account password is complex, because you only have three guesses before you’re locked out. Even a four digit PIN is good enough for that.

Tip #9 tells you not to write the passwords down. I think writing down your random passwords is one of the only ways to cope with all those random character strings. The odds that someone will break into your work to steal the sticky note and commit computer fraud are extremely small. If there’s a thief running around your building, then you have lots more to worry about than your passwords. Besides, you can always put the password list in your wallet or purse.

Tip #10 suggests you write the password policy for the IT department. If I may suggest, telling another department how to do their job will almost never make you more friends. On the other hand, if you’re reading this post, odds are you’re already part of the IT department. So no one likes you anyway. ;-p
Emmett Jorgensen I agree that long, random passwords can be difficult to remember. But a strong password doesn't necessarily have to be hard to remember. Check out this interesting (and humorous) webcomic related to password length and strength.


Webcomic - Password Strength
John Readinger Ron,
These are good tips for the average user. Where was the word "random" used in the article? For an enterprise system, complex 14 character passwords, changed every 90 days, are often the norm and users learn ways to handle it, without complaining, or writing it down, provided it's not random. Putting it in your wallet would be the worst senario. If you are required to use a different password on multiple systems, rather than writing those on a piece of paper, a software "vault" on a local encrypted drive would be my choice. For personal internet use, people would still be wise to follow many of the tips.
Ron Trunk John,
I beg to differ. Most users can't remember one "complex" 14 character passwords, much less several different passwords for several different sites.

You are absolutely right, though, that users don't complain. They "handle it" by simply choose easy to remember passwords like "password" or "123345".

By the way, what's wrong with putting your passwords in your wallet? It's safe enough for your ID, cash and credit cards, which I imagine are far more valuable than your Facebook password.
Christine Stagnetto-Sarmiento Hi Allan, I read your article, and currently I am teaching this section to my students. I would like to copy and paste this link with your permission. Thanks, Christine
Sara Hald The way I handle complexity for passwords is to use shortened sentences. If I for example create a password for this site, I could use the sentence "My first password for InfoSecIsland!". This sentences would then be shortened into something like "M#1passfISecI!". Another example would be "I love reading about information security" shortened into "I<3rabtinfosec" (and no, neither of those are my password here). I would much prefer to use just a regular sentence or even just a number of normal words I can use to create a picture meme (which are much easier to remember) as suggested in the xkcd comic, but most site won't allow you enough characters for that or requires you to use a crazy mix of special characters, numbers, and mixed cases.
According to the http://howsecureismypassword.net site you recommend, it would take about 66 billion yours to crack "I<3rabtinfosec", while it would take about 1 novemdecillion years to crack "I love reading about information security", which is much easier to remember. I could even spice it up with a bit of personal information, e.g. "It's been too long since I read any hacker fiction" and we are up to about 46 quattuorvigintillion years, and a pretty hard password to guess, even for someone who knows me well.
John Readinger I have noticed that users who have had complex password requirements for years use "keyboard surfing" techniques. If they had to remember their password to write it down, it would be impossible, but hand them a keyboard, and they type it in with lightspeed. 90 days later, they slightly readjust their pattern, sometimes with an event or date variable. They can remember (or key in) a few years worth of passwords using this method.
Christine Stagnetto-Sarmiento Sara,
We do not have 100% of security in our network systems. All systems are hackable, but it depends on how architecture was developed. You must protect by layers and monitoring, predicting, and protect the system. Some systems are more hackable than others, therefore if you are attacked in one layer is more difficult to the attacker use the same tools to attack the other layers.(OSI Model). On the other hand, critical infrastructures are constantly attacked (e.g., government, public and private industries). Many people tend to write down in a paper a password, and leave in any place. Shoulder Surfing has its tactics of attacks. The best method is block everything in Administrative staff. It means, no chat, no USB, no download, no use other place than your workplace, Intranet but with restrictions. Warning the first time if lost or forget password, no permission of weak passwords. Must requires in written a second password and reasons. Train and educate administrative staff, with a clause to be fired in case that no follows the company's policies. It is one method to cure people - Fire.

I implemented in my workplace a strong network security with new strong policies, and include this policy - no follows - you fire.

People tend to learn in the bad way
Christine Stagnetto-Sarmiento John,

I have complex passwords in my workplace, and credit cards, etc. (all are different) I have in my mind all these passwords. I have never written down my passwords. I think that should be a few people who do that. But banks are attacked, and they suppose to have strong system. An example of attacks, Cit Bank, Bank of America, and other banks. Christine
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.