DO’S |
DONT’S
|
- DO
use a password with mixed-case letters. Use uppercase letters throughout the password.
|
|
- DO
use a password that contains alphanumeric characters and include punctuation, where
supported by the operating system.
|
- DO
NOT use your first, middle or last name or anyone else’s in any form. Do not use your
initials or any nicknames you may have or anyone else’s.
|
- DO
use a password with mixed-case letters. Do not just capitalize the first letter, but add
uppercase letters throughout the password.
|
- DO
NOT use a word contained in English or foreign dictionaries, spelling lists, or other word
lists and abbreviations.
|
- DO
use at least eight characters, ten characters for More secure.
|
- DO
NOT use other information easily obtained about you. This includes pet names, license
plate numbers, telephone numbers, identification numbers, the brand of your automobile,
the name of the street you live on, and so on. Such passwords are very easily guessed by
someone who knows the user.
|
- DO
use a seemingly random selection of letters and numbers.
|
- DO
NOT use a password of all numbers, or a password composed of alphabet characters. Mix
numbers and letters.
|
- DO
use a password that can be typed quickly, without having to look at the keyboard. This
makes it harder for someone to steal your password by looking at your keyboard (also known
as "shoulder surfing").
|
- DO
NOT use dates e.g., September, SEPT1999 or any combination thereof.
-
Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.
|
- DO
change passwords regularly. The more critical an account to network integrity (such as
root on a Unix host or Administrator on Windows OS/Server), the more frequently the password
should be changed. This change stops someone who has already compromised an account from
continued access.
|
- DO
NOT use keyboard sequences, e.g., qwerty.
Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard
do not help make secure passwords.
-
Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.
|
-
Do not type passwords on computers that you do not control. Computers such as those in Internet cafés, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet—your passwords and pass phrases are worth as much as the information that they protect.
|
- DO
NOT use a sample password, no matter how good, that you’ve gotten from a book that
discusses information and computer security.
|
|
- DO
NOT use any of the above things spelled backwards, or in caps, or otherwise disguised.
|
|
- DO
NOT write a password on sticky notes, desk blotters, calendars, or store it online where
it can be accessed by others.
|
|
- DO
NOT use shared accounts. Accountability for group access is extremely difficult.
|
|
- DO
NOT reveal a password to anyone.
|