PSFC Password Recommendations

Creating strong passwords

The following suggestions are from the MIT Information Systems & Technology website

• Longer passwords are better passwords. The more characters a password cracking program has to crunch, the harder it is to guess. A 12-character password can take 200 years to crack, an 8-character password might only take a few hours.
• A random mix of alphabetical, numeric and symbolic characters. - the more "random" your password, the stronger.
• Alternatively, we recommend using a passphrase instead of a password for better security.

Use a passphrase (PSFC Recommended for best security)

A common method for securing a password is to use a passphrase instead of a password. A passphrase is basically just a sentence, including spaces, that you employ instead of a single pass "word." Passphrases should be at least 12 to 25 characters in length (spaces count as characters), but no less. Longer is better because, though passphrases look simple, the increased length provides so many possible permutations that a standard password-cracking program will not be effective. It is always a good thing to disguise that simplicity by throwing in elements of weirdness, nonsense, or randomness. Here, for example, are a couple passphrase candidates:

pizza with crispy spaniels
mangled persimmon therapy

Punctuate and capitalize your phrase:

Pizza with crispy Spaniels!
mangled Persimmon Therapy?

Toss in a few numbers or symbols from the top row of the keyboard, plus some deliberately misspelled words, and you'll create an almost unguessable key to your account:

Pizza w/ 6 krispy Spaniels!
mangl3d Persimmon Th3rapy?

Passphrase hints

Your passphrase should never contain information that would identify you personally, such as Social Security numbers, telephone numbers, credit card numbers, birth dates, or your PSFC username. Instead, rely on a phrase that has enough meaning to you that you'll remember it easily--then mix it up.

Try to avoid phrases composed of common, smaller words. For example, "My dog has long toes," though long enough to be a decent passphrase, contains so many small words that a password cracking program might have a better chance of deciphering it. However, "Provincetown is crowded in August!" or "Revere Beach parking is full!" are both acceptable, and easy to remember.

Note: Do not adopt any of the sample passphrases shown above as your own PSFC passphrase. They are, for obvious reasons, no longer secure choices for passphrases.

Other suggestions

• Remove all the vowels from a short phrase in order to create a "word."
  Example: llctsrgry ("All cats are gray")
• Use an acronym: choose the first or second letter of your favorite quotation.
  Example: itsotfitd ("It's the size of the fight in the dog")
• Mix letters and non-letters in your passwords. (Non-letters include numbers and all punctuation characters on the keyboard.)
• Transform a phrase by using numbers or punctuation.
  Examples: Idh82go (I'd hate to go), UR1drful (you are wonderful).
• Avoid choosing a password that spells a word. But, if you must, then:
  • Introduce "silent" characters into the word. Example: va7ni9lla
  • Deliberately misspell the word or phrase. Example: choklutt
  • Choose a word that is not composed of smaller words.
• Add random capitalization to your passwords. Capitalize any but the first letter.
• Long word and number combinations. For example, take four words, and put some numbers between them: stiff3open92research12closer
• An acronym for your favorite saying, or a song you like.
  Example: GykoR-66 (Get your kicks on Route 66) or L!isn! (Live! It's Saturday Night!).
• An easily pronounced nonsense word with some non-letters inside.
  Example: slaRoo@Bey or klobinga-dezmin.
• Change your password at least once a year. Better yet, change your password every few months to shrink your exposure window. You can make three or four passwords if you like, then switch them throughout the year.
• Don't use the same password on multiple accounts. When one site is compromised, hackers try to use those passwords to access accounts on other sites. Don't let one break-in give hackers access to all your accounts.

Are password managers a good idea?

Yes, as long as you have a strong password protecting all your passwords in your password manager. Most password managers use encryption. If you use a browser-based password manager such as LastPass, you don't have to remember each individual password for your online accounts, but you do need to remember your master password. Be sure to change that master password regularly. Other options for password managers are 1Password, Dashlane, KeePass and RoboForm, among others. The basic versions of these are free. It is very important to enable Two-factor Authentication in your password manager so that a breach of the master password itself cannot provide an adversary access to your password list.