How to Choose a Password

Your passwords are the keys to many things: your bank machine, your computer, your email, a server on a network. Your password helps to prove you are who you say you are, and ensures your privacy. Compromised passwords are the means by which most unauthorized (and devious) people gain access to a system. Someone logging on under your name has access not only to your computer files, but to most of the facilities of the computer system. Since tampering can have far-reaching and serious consequences, it's important to take to heart the following guidelines for choosing a password. How would you lock the front door of your home? With a luggage lock or with a deadbolt?

Never tell anyone your password – not your friends, colleagues, account manager or even your system administrator or Helpdesk -- and don't write it down. Make sure you have chosen a password that you can remember. When you are given a new account, immediately change your password to one that only you know.

Central Login Password Requirements 

To help protect you and your information, we require strong passwords here at UC. First thing to consider when creating a new password are the rules for passwords. Here are the UC Password Rules:

  • Passwords being created or changed must contain:
    • At least one lowercase letter
    • At least one uppercase letter
    • At least one number
  • Must be a minimum length of eight characters
  • Passwords may not contain any form or part of your name or your username
  • The system remembers passwords you have already used, and will not allow you to reuse an old password

General Password Selection Guidelines 

You want to choose something that is easy to remember with a minimum of 8 characters that uses as many of the techniques above as possible. One way to do this is to pick a phrase you will remember, pick all the first or last letters from each word and then substitute some letters with numbers and symbols. You can then apply capitals to some letters (perhaps the first and last, or second to last, etc.) You could also perhaps keep or add punctuation.

Some examples:

Phrase First Letters Password
"So long and thanks for all the fish” slatfatf 5L@tf@tF
“Best Series Ever: Terry Goodkind’s Sword of Truth” bsetgsot B53:tg’Sot
“You Can't Have Everything. Where Would You Put It?” ychewwypi Uch3Wwup1?

 

If you are selecting a password for a website, you may want to incorporate the first few letters of the website name into your password so that every password is different and if one gets out, you don’t have to change them all. This approach has good and bad points.

For example, if you have a standard password like B53:tg’Sot (see above) that you like to use most places (this not recommended), you may modify it by placing the first and last letter of the website around it:

Website Password
www.ebay.com eB53:tg’Soty
www.amazon.com aB53:tg’Sotn
www.webshots.com wB53:tg’Sots

May not want to choose... 

  • Your name in any form -- first, middle, last, maiden, spelled backwards, nickname or initials.
  • Any ID number or User ID in any form, even spelled backwards.
  • Part of your User ID or name.
  • Any common name, e.g., Sue, Joe.
  • The name of a close relative, friend, or pet.
  • Your phone or office number, address, birthday, or anniversary.
  • Acronyms, geographical or product names, and technical terms. 
  • Any all-numeral passwords, e.g., your license-plate number, social-security number.
  • Names from popular culture, e.g., Harry_Potter, Sleepy.
  • A single word either preceded or followed by a digit, a punctuation mark, up arrow, or space.               
  • Words or phrases with all the vowels or white spaces deleted.
  • Words or phrases that do not mix upper and lower case, or do not mix letters or numbers, or do not mix letters and punctuation.
  • Any word that exactly matches a word in a dictionary, forward, reversed, or pluralized, with some or all of the letters capitalized, or with any of the following substitutions:
    • a -> 2, a -> 4, e -> 3, h -> 4, i -> 1, l -> 1, o -> 0, s -> $, s -> 5, z -> 5

Why do I need a complex password? 

If you only use words from a dictionary or a purely numeric password, a hacker only has to try a limited list of possibilities. A hacking program can try the full set in under one minute. If you use the full set of characters and the techniques above, you force a hacker to continue trying every possible combination to find yours. If we assume that the password is 8 characters long, this table shows how many times a hacker may have to before guessing your password. Most password crackers have rules that can try millions of word variants per second, so the more algorithmically complex your password, the better.

Character Sets used in Password Calculation Possible Combinations
Dictionary words (in English):
(It is debatable but lets generously say ~600,000 words)
--- 600,000
Numbers Only 10^8 100,000,000
Lowercase Alpha Set only 26^8 208,827,064,576
Full Alpha Set 52^8 53,459,728,531,456
Full Alpha + Number Set 62^8 218,340,105,584,896
Full Set of allowed printable characters set (10+26+26+19)^8 645,753,531,245,761


The longer your password the more secure. If we take the full set of allowed printable characters set (the last line above) and increase the password length, the possible combinations jump exponentially (odd, considering that the calculation includes exponents...)

  • 8 Characters > 645,753,531,245,761 (645 Trillion) Combinations
  • 9 Characters > 45,848,500,718,449,031 (45 Quadrillion) Combinations
  • 10 Characters > 3,255,243,551,009,881,201 (3 Quintillion) Combinations

When we refer to character sets, they are typically numbers, upper and lowercase letters and a given set of symbols. For example:

Characters Number of Characters
0123456789 10
abcdefghijklmnopqrstuvwxyz 26
ABCDEFGHIJKLMNOPQRSTUVWXY 26
`~!@#$%^&-_=+[{]}. 19
  • University of Cincinnati UCIT Office of Information Security
  • University Hall
  • 51 Goodman Drive
  • Cincinnati, OH 45221