Suggestions for Selecting Good Passwords

For the security of SLAC's information systems and for the safety of your own online interactions, it is important to create good passwords and use them safely. A good password is complex enough that it cannot be easily guessed and at the same time easily remembered and entered if used frequently.

Password Strength Basics

Password complexity (or entropy) is a frequent measure of how strong a password is. It is usually measured in terms of how long it would take to "guess" all of the possible combinations that the password could be. It can be affected by both:

• The length of the password.
• The range of characters used in the password.

Prior best practice statements focused more on making sure that multiple types of characters are used in a password (upper case, lower case, numbers, symbols, etc.). Nowadays, longer and easier to type passwords are considered better.

For length, SLAC requires a minimum of 12 characters. Longer passwords are better, with 20 characters being recommended.

Characters available for use is usually limited only by the OS or the application, but letters, numbers, and symbols on a regular keyboard are usually easiest to enter, especially on mobile devices that usually have a more limited keyboard functionality. 

Good Password Source: Passphrases

A passphrase is a good way to make a memorable and complex password by joining together multiple words or sounds to make a long password. A few methods to generate a passphrase are included below. You can use one of these or mix and match. 

Schneier Method

From: Choosing Secure Passwords - Schneier on Security

So if you want your password to be hard to guess, you should choose something that this process [referring to methods hackers will use to intelligently guess passwords] will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence—something personal.

Here are some examples:

• WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
• Wow…doestcst = Wow, does that couch smell terrible.
• Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
• uTVM,TPw55 or utvm,tpwstillsecure = Until this very moment, these passwords were still secure.

XKCD Method

Another method for creating a good password is the "XKCD Password" method as illustrated by Randall Monroe in XKCD #936:

[It is highly recommended to modify the method to add numbers, symbols, misspellings, non-English words, etc. as hacking tools have adjusted to guess simple passphrases like these that use only concatenated dictionary words with or without the common replacements (a->4 or @, b->8, e->3, i or l->1, o->0, t->7, etc.)]

Associative array or the object method

Starts with a category name, then at least two members of that category.  Often, the number is added either as a member of one or more of the elements: “Pictures:1rose,2crocus,mountain”.  When using this method, it is important to not use a category that is too easily linked to you personally, even by family members.  Assume the attackers know more about you than your own family.

Pronounceable method

This method involves random syllables rather than words, separated by punctuation: “Bla-Chu-3-Kin-Tho-Fill".  Each syllable chosen is completely random strings that happen to be pronounceable.  Make sure to use enough syllables to fill well beyond the minimum password length.

Good Password Source: Password Manager

Another common source for good passwords is to use a password manager. These programs are designed to protect many passwords in an encrypted manner. Most of these programs also have a method to generate a strong password for you. In most cases the passwords generated will not be easy to enter, but the password manager can enter them for you, particularly in a browser.

Some password managers that you might be familiar with are:

• Dashlane Dashlane Password Manager | University IT (stanford.edu)
• 1password
• KeePass

For any account where multiple people need to know the password, a password manager that allows for controlled sharing is highly recommended. Stanford UIT makes Dashlane Business accounts available for this purpose, but many other password managers support secure sharing. If anyone is removed from access to the account, this allows you to easily change the password and reshare with the remaining team.

Keeping your SLAC passwords safe

To keep your passwords (or other credentials) from being compromised, some guidelines to keep in mind are:

• Use different passwords for each service that you use online and do not use your SLAC password(s) for an outside service.
• Do not write your passwords down or save them outside of a password manager or key vault.
• Do not share your passwords with anyone.
• Watch out for potential phishing, whether it is a text message, email, social media post, etc. SLAC runs periodic drills to raise awareness of the potential to be phished.
• If you are not on a trusted network, consider using the VPN service to prevent a third party from snooping on you.
• Make sure that web sites that you connect to use secure HTTP - Look for the lock.
• If you share scripts, code, or system configuration information online or in a version control repository, make sure that no password/credential information is included. 

Password Recovery Questions

Sites outside of SLAC may use password recovery questions if you forget your password. Unfortunately, many of these systems ask you to enter information that is easy to remember but may also be easy to find out about you from online sources. Using information like this (Make of first car, City where you were born, etc.) is not recommended as either a password or a password recovery answer.