A good password is easy to remember but difficult to guess. It should be easy for you to remember without writing it down and difficult for both people who know you and anonymous password-crackers to guess.
Strong passwords can be easy to remember
A simple way to create a strong but easy-to-remember password is to take a phrase that means something to you and relate each word of the phrase to a corresponding letter, number or symbol. For example, the phrase "I am one happy Princeton University student!" could become the password Im1HPUs!
IMPORTANT - The above password has only been shared as a technique for crafting a strong but easy to remember password. You should NOT use Im1HPUs! as your own password nor should you use any sample password shared in any other password guide. Prospective intruders often review password guides when compiling their lists of passwords to try.
How are passwords commonly exposed?
Writing passwords down, carelessly sharing them with colleagues, leaving them blank or equal to their default values, or making them trivial (e.g., "password", "p", "passwd", "aaaaaa", "123456", "qwerty", your NetID) are the riskiest password practices.
People who know something about you have an inside track toward guessing your password when you use a piece of personal information as your password (e.g., name, office location, birth date, name of a family member, pet name, organization, phone number). Additionally, if you use the same password for Princeton University as you do for any computing service outside of the university, (e.g., AOL, Yahoo), your Princeton password could be exposed if their systems are compromised.
A dictionary attack is a method of breaking into a password protected computer or server by systematically entering every word in the dictionary as a password. Dictionary attacks work on passwords that are simple words. There are also enhanced dictionary attacks that have dictionary-based words preceded or followed by a number or symbol, such as "3Amigos" or "Apollo7"), or have words substituting zeros for the letter "O" and the symbol "@" for the letter "A". These tools exist in virtually every language, so using a non-English word as a password is equally risky. Avoid the dictionary attack with a random combination of numbers, letters, and symbols.
Brute force attacks
When all else fails, determined individuals will execute programs to try all possible password letter, number and symbol combinations. Short (i.e., less than 8 characters), trivial (e.g., “password”) or uniform passwords (e.g., all lower case alpha) can often be broken in seconds while longer, more complex passwords could take months to break.
Good password practices
- Use different ID and password combinations for different websites
- Avoid sharing passwords
- Change your password regularly
- Avoid writing passwords down, but if you must, mask it, keep the piece of paper in a safe place and do not include related data, such as your username or the site name.
- Commercially available password management software can keep your passwords in an encrypted, password-protected file. Some products can save the file in the "cloud" allowing users to share passwords among multiple computing and mobile devices. Check with a member of your department's technology support team or the OIT Support and Operations Center Help Desk (8-HELP or firstname.lastname@example.org) to ensure the quality of the product.
Passwords should not be shared. Alternatives to sharing passwords include:
- You can allow someone to review and respond to an email. You can usually delegate access to your email folders under "Account Settings."
- You can collaborate on files and folders. For file sharing, OIT offers shared network folders on the central file server, SharePoint sites, and the Secure File Sharing service. Access to network folders or SharePoint sites can be managed by departmental staff members authorized to administer the shared folders. Once authorized, users can post documents and share them with other authorized users.
- You can retrieve a file for an unavailable staff member. Authorized system administrators can access files on network shares and local hard drives. However, data stored under user profiles should not be accessed without the prior authorization by the department manager.