Good vs. Bad Passwords

While the example given in this site's introduction is admittedly an extreme, it serves to illustrate a very important point: protecting your password is your responsibility; no one else can do that for you.

A bad password is one that does not keep unauthorized users out of the system. Examples of bad passwords include (but are certainly not limited to) any name, birthday, SSN, driver’s license, number, pattern, course number or trivial combination of the above.

In this document, we focus on empowering users to choose good passwords rather than giving an abundance of examples of bad ones.  Over the last several years, security experts have weighted the pros and cons of the tradeoff between security and convenience.  Several ideas have emerged that help a user choose a password that is both easy (for them) to remember and hard (for bad guys) to guess.  TRG encourages users to adopt a policy we’ve called “obfuscated phrase passwords.”  Don’t panic – they’re not nearly as hard to understand as the name might imply.

To generate an obfuscated phrase password, simply follow the steps below.

1. Begin by picking a somewhat lengthy phrase that means something to you, but is not necessarily very widely known.  For this example, let’s choose a line from Lewis Carroll’s Alice in Wonderland: “Then it doesn’t matter which way you go,” said the cat.
2. Next, take the first letter of each word in the phrase, and connect them all together: tidmwwygstc.
3. Replace some of the letters with numbers or symbols that look similar.  For example, replace an “i" with the number one, an “o” with the number zero, an “l” (ell) with an exclamation point, an “a” with an at sign, an “s” with a dollar sign, etc.  If your computer makes it easy to type unusual characters (like the cents - ¢ - character), these can make passwords harder to guess.  Keep in mind that it may limit the types of computers you can login from.  Continuing our example, this gives us the following: t1dmwwyg$t¢.
4. Choose a few of the remaining lower case letters, and convert them to upper case.  For this example, we’ll choose the letters D and Y.  This gives us the following password: t1DmwwYg$t¢.

Once you have typed it a few times, the resulting password (t1DmwwYg$t¢) is one that is both relatively easy for you to remember, and hard for anyone else to guess.  It should be noted that the above password would be a good password, except for the fact that it has appeared in this document – it is now a very bad one.