The wisdom is simple; a strong password is a long password (and more rhyming fun later in the post). That’s why, from February 24 2016, new ITS passwords created must be ten characters or more. Currently, Sussex ITS passwords have to be exactly eight characters long but we’ve been trialling ten character passwords and we’ve made sure that all our systems can now accept them.
- are case sensitive
- need to contain one character which isn’t a letter (a number, a space or any of these accepted characters)
How to make a strong password
It’s long been recommended that a good strong password involves some clever substitutions of letters for non-alphabetical characters and mixing up large and small letters, meaning, for instance that ‘password’ could be come P@55W0rD. However, with the clever hacking programs that exist out there nowadays (apparently) this sort of password can be, in fact, extremely easily figured out. Software, for example, could run millions of tests for a password in a second, speeding its way through normal dictionary words and substituting letters for their oft-used non-alphabetic counterparts.
Now it’s recommended that you use a nice long password of completely unconnected words. This is much, much harder for hackers’ software to chance upon, and it should be easier to remember.
If you want to give this way of concocting a password a go but you’re struggling to come up with some memorable words, there are a couple of ways to generate some nonsense streams for yourself. One way is to look at a picture and use the first four words that come to mind. For more randomness, use Flickr’s interesting images from the last 7 days (randomly selected, high rated images) and use four words that picture inspires. A nice picture of the Chicago skyline gave me Chicago tall white centre which, according to this handy password strength checker is a “very strong” password with a rating of 92%. Stick a random number on the end and that goes up to 100%.
Alternatively, someone’s realised that we’re really, really good at remembering rhyming phrases (I bet you can all remember what year Columbus sailed the ocean blue in). Marjan Ghazvininejad and Kevin Knight are two clever scientists who have worked out that while the above correct horse battery staple idea is good, a 60-bit password is better – simply as software is getting better and better and faster and faster at cracking passwords – but potentially difficult to remember. Based in the Department of Computer Science and the University of Southern California, they wrote a whole paper on the subject. Not only that, they made a website that generates a random little poem for you, one which creates a 60-bit password. And not only that, but it’s helpfully in iambic pentameter – the most memorable rhythm, apparently. Have a go.
Again, I had a go. I couldn’t not. I can’t actually share with you the first poem generated, because it contains such a delightful coupling of words that it has instantly become my go-to password. Sorry. But some of the next (yes, you will generate multiple password poems because it’s too fun not to) were good, and, endorsed by afore-used passwordmeter.com, they would make very strong password poems.
SO pleasingly, one of my randomly generated poems went as follows (I added my own punctuation):
Professor, married, celebrates;
Unwanted striding emanates.
I can see the prof in my head – he has tweed trousers and his hands are in his pockets, despite his jubilation.
One pitfall of these poetic passwords is that for some purposes, they’re going to be too long. Some password-box designers will have set the character limit to less than these couplets allow. Never mind; modify. For this case, Prof,Married, alone has a strength score of 97%, so consider a truncated version for variation.
Keeping your password safe
I don’t need to tell you this, but don’t use the same password for multiple sites, however tempting it is. Instead, consider a password manager app like LastPass, KeePass and 1Password. The idea of having all your passwords behind one master password often rings alarm bells, but on balance it’s much safer than using one password for many different accounts here, there and everywhere.
Don’t let your password manager be your desk drawer or your diary; don’t write your passwords down and store them “somewhere safe.” We store your passwords very securely; you should too.
If you ever get an email purporting to be from ITS asking you to enter your password, don’t. We’d never do that. It’s yours, and we’ll never ask you for it.