it.ucsf.edu

Choose the right password

Policy Type

Best Practice

The password you choose can make it easy or hard for malicious people to gain access to your computer account or your password manager.

Bad Passwords

A password is bad when it is:

  • Easy for humans or computers to guess
  • Hard for you to remember

To learn more about bad passwords, see Bad Passwords.

Good Passwords

A password is good when it is:

  • Hard for humans or computers to guess
  • Easy for you to remember

To learn more about good passwords, see Good Passwords.

Choosing a Good Password

Don't use the password examples below. Since they appear on a public web page, a malicious person can easily gather and use them in a dictionary attack against UCSF systems. Use these methods, but create your own passwords.

  1. Use an algorithm. Use a procedure of your own invention to create your password.

    • First Letters of Words in a Sentence: Think of a sentence, then use the first letter of each word or substitute numbers and punctuation appropriately. "The five-and-ten is at Main and Ash Streets" becomes the password T5&10i@M&ASt.s. It's best if it includes uppercase, lowercase, numbers, symbols, and punctuation.
    • First 2 Letters in Trivia: Let's say your favorite song is Madonna's La Isla Bonita, which spent 11 weeks at #1 on the music charts in 1987. Your password could be LaIsBo11#187!. This password is very hard to guess by humans and computers but is easily remembered. In this case, the algorithm is to use the first 2 characters of your favorite song and some related music chart data. Even if you tell everyone you meet that this is your favorite song, it's still very hard for a human to guess this password. Since the password contains no dictionary words and appears to be composed of random characters, it is also very hard for a computer to guess.
    • Pig Latin with a Twist: gewoogulgay is a nonsensical, misspelled, mispronounced, pig latin version of the word Google. This password can be made better by including numbers and symbols. For example, if you first heard about Google in 2001 and you bought stock in the company, your password could be ge$wo2og0ul0ga1y. This looks hard to type, but you can type gewoogulgay first, then reposition the cursor at the beginning with the Home key, then press Right Arrow, Right Arrow alternately with each character in $2001.
  2. Use an image. To help you remember your password, keep an image nearby that will jog your memory. For example, an image of Madonna's La Isla Bonita album cover art can help you remember a password with a Spanish theme or a music theme. Be careful, however to not choose a password from words directly associated with the image.  For example, don't use LaIslaBonita or laislabonita or bonita or Madonna or madonna as your password if this image is nearby or prominent. Keep the image in a locked drawer or in your wallet instead of taped to your computer screen. Write "2" on the back of the image to remind you that it's the first 2 characters of each word in the song title. Don't write your complete password.
  3. Use dice. This very straightforward method involves rolling dice to generate 5-digit numbers which correspond to English words in a Diceware word list. Some people consider the passwords it generates hard to remember. For an introduction, see Wikipedia: Diceware and Diceware for instructions.
  4. Use deliberate misspellings or mispronunciations. For example, chawkolit is a phonetic misspelling of chocolate. It's a better password since it doesn't appear in any dictionary. chel-o(pone) is a mispronunciation of the word "telephone" with some random punctuation to increase the complexity of the password.
  5. Use nonsense. The password blu&$&hzPMS can be remembered with the phrase "a blue 747 airplane has premenstrual syndrome." This is an example of shocking nonsense. Things that are nonsensical or absurd can be remembered more easily than logical, ordinary things. This password also uses deliberate misspellings ("blu" and "hz") as well as an added algorithm: use the Shift key when typing numbers.
  6. Use invented words which cannot be found in print or on the web. Be careful to avoid any kind of jargon, which can be documented (as with Urban Dictionary, PseudoDictionary, or Google Directory: Slang). Examples: anistingly (English prefixes and suffixes strung together), celtelmailfax (forms of communication), digdelsur (for "digital delayed surround"). Make these passwords better by applying algorithms or adding random characters: AnIstIngLy (capitalize the first letter of each prefix or suffix), cel!tel@mail#fax (hold the Shift key while typing numbers 1-2-3 between words), dIgdElsUr (capitalize vowels).
  7. Use a password manager to automatically generate good passwords. Some password managers such as KeePass, Password Retriever, and Password Wallet will create and store good passwords for you - no creativity required. Passwords created this way aren't meant to be memorized. Whenever you need the password, open your password manager to retrieve it. The password manager should have a master password created using one of the other methods described above.

Security Warning: If you use a password algorithm, don't use one which can be easily deduced if one of your passwords is compromised. For example, if your password for Yahoo! is ybaihnogoo ("yahoo" interleaved with "bingo"), anyone who steals the password list at Yahoo! might be able to guess that your PayPal password is pbaiynpgao or pbaiynpgaol.

If the computer system you're using limits password lengths or disallows certain characters, you'll need to truncate or revise your desired password to fit the system's requirements.

After Choosing a Good Password

It's not enough to choose a good password; you must also handle it properly. Good passwords are most effective when used with the password practices described in How to Keep Your Accounts Secure.