it.ucsf.edu

Good passwords

Policy Type

Best Practice

When you choose a password, you are also choosing whether it is easy or hard for malicious attackers to gain access to your account. We say that a password is good when it is

  • Hard for humans or computers to guess, and
  • Easy for you to remember

Hard for humans or computers to guess

To make a password hard for humans or computers to guess

  1. Avoid people's names, birthdates, and anniversary dates and any personal information about you or the people close to you. Because these are frequently used in passwords, they are common starting points for people who know you to gain access to your account.
  2. Avoid dictionary words. Words that appear in any dictionary in any language in any medium (print or web). Words that appear in dictionaries can be stored electronically, and malicious attackers can program computers to repeatedly guess each word in a dictionary to determine your password. These attempts are called dictionary attacks.
  3. Longer is better. Longer passwords make it harder for dictionary attacks and brute force attacks to succeed. However, some computer systems limit password lengths, so it's not always possible to use the length of password you want.
  4. More randomness is better. The more that your password is composed of random characters, the less likely it will be guessed by humans or computers.
  5. More kinds of characters is better. Use as many different kinds of characters as you can: uppercase letters, lowercase letters, numbers, symbols, punctuation. Note some computer systems prevent you from using certain characters (/, %, & etc.).

Easy for you to remember

There are a number of techniques for choosing passwords so that they are easily remembered

  • Use an algorithm
  • Use an image
  • Use deliberate misspellings or mispronunciations
  • Use nonsense

Alternately, you can use a password manager to avoid having to remember a lot of passwords. Use a single, memorized, master password to access all your unmemorized passwords.

For details about password choosing techniques and password managers, see How to Choose a Password.

How good passwords turn bad

Even good passwords can become bad passwords if they aren't handled correctly.

  • Never share your password
  • Never let others watch while you type your password
  • Log out properly
  • Change your password regularly and never reuse it
  • Store your password securely

For details, see How to Keep Your Accounts Secure.

How to choose a good password

See How to Choose a Password.