A good password is easy to remember but difficult to guess. It should be easy for you to remember without writing it down and difficult for both people who know you and anonymous password-crackers to guess.
Strong passwords can be easy to remember
How can you create long, strong, unique, and memorable passwords? We recommend you use passphrases, which are a series of random words strung together or even a unique sentence. The more characters a passphrase has, the stronger it will be. Passphrase examples include:
correct horse battery staple or
Students love to eat ice cream.
IMPORTANT - The above passphrases have been shared as a technique for crafting a strong but easy to remember password. You should NOT use any example passwords/passphrases as your own password.
How are passwords commonly exposed?
Writing passwords down, carelessly sharing them with colleagues, leaving them blank or equal to their default values, or making them trivial (e.g., "password", "p", "passwd", "aaaaaa", "123456", "qwerty", your NetID) are the riskiest password practices.
People who know something about you have an inside track toward guessing your password when you use a piece of personal information as your password (e.g., name, office location, birth date, name of a family member, pet name, organization, phone number). Additionally, if you use the same password for Princeton University as you do for any computing service outside of the University, (e.g., AOL, Yahoo), your Princeton password could be exposed if their systems are compromised.
A dictionary attack is a method of breaking into a password protected computer or server by systematically entering every word in the dictionary as a password. Dictionary attacks work on passwords that are simple words. There are also enhanced dictionary attacks that have dictionary-based words preceded or followed by a number or symbol, such as "3Amigos" or "Apollo7"), or have words substituting zeros for the letter "O" and the symbol "@" for the letter "A". These tools exist in virtually every language, so using a non-English word as a password is equally risky. Avoid the dictionary attack with a random combination of numbers, letters, and symbols.
Brute force attacks
When all else fails, determined individuals will execute programs to try all possible password letter, number and symbol combinations. Short (i.e., less than 8 characters), trivial (e.g., “password”) or uniform passwords (e.g., all lower case alpha) can often be broken in seconds while longer, more complex passwords could take months to break.
Good password practices
- Use different ID and password combinations for different websites
- Avoid sharing passwords
- Avoid writing passwords down, but if you must, mask it, keep the piece of paper in a safe place and do not include related data, such as your username or the site name.
- Use an encrypted password manager to store your passwords safely. Princeton has partnered with LastPass to provide students, faculty, and staff with the LastPass password manager.
Avoid sharing passwords. Alternatives to sharing passwords include:
- You can allow someone to review and respond to an email by delegating access. You can usually delegate access to your email folders under "Account Settings."
- You can collaborate on files and folders. For file sharing, OIT offers shared network folders on the central file server, G-Suite, OneDrive, SharePoint sites, and the SecureSend service.
- You can retrieve a file for an unavailable staff member. Authorized system administrators can access files on network shares and local hard drives. However, data stored under user profiles should not be accessed without the prior authorization by the department manager.
- If you have no other alternative and need to share a password, do so securely with a password manager like LastPass.