A Stronger Password

Guidelines

In order to protect your personal electronic data, setting a strong password is vitally important. Below are the guidelines to set a strong password:

●

Password minimum length

Set your passwords at least eight characters composed of random letters, digits and punctuation (for examples #, $, % and spaces) and;

●

Composition

A good rule of thumb is never use dictionary words and personal related information such as name, the NetID, birthday date, telephone number, HKID and user ID, etc.

●

Reuse of passwords

Use different sets of passwords in different systems for examples mix upper and lower case letters; mix letters and numbers; include non-alphanumeric characters and;

●

Password aging

You should change your password regularly such as in every 180 days.

Safeguard Your Password

Always remember the following tips to protect your password:

DON'T

Use strong password.

Change password frequently, e.g. 180 days.

Change the default or initial password the first time you login.

Log off when finished using terminals or PCs in public areas.

Beware of shoulder surfing.

Don’t use dictionary words and personal related information as login name or password.

Don’t place your password conspicuously.

Don’t tell your passwords to other people.

Don’t store your password on any media unless it’s protected from unauthorized access.

Don’t use the same password for everything.

Don’t reuse recently used password.

Avoid using the “remember your password” feature.

Examples

Examples of strong passwords:

A combination of several words that aren't themselves a word interspersed with special characters (e.g., !4scOrE&sDayNYeaRs_ag0)

A word with digits of a memorable date sprinkled inside it (e.g., vacation -> 0vac2a0t9io19ln99)

Examples of weak passwords:

Use of repeated numbers, characters or sequences such as 12345678, bbbbbbbb, or 33333333

Use of words in dictionary such as the word "password"

Use of personal related information HKID such as "Y6754815"

Examples of how to set up a strong password:

Use a memorable word – it can even be a dictionary word or name but move the hands up a row from the home row on the keyboard when typing it. This way, “GoFishing” would become “T9R8wy8ht”. This technique would be most usable by touch-typists.

Create a passphrase and use the first letter of each word. The phrase "Now is the time for all good persons ..."would yield the password "NittfaGp". Since our rules required still more complexity, I suggested putting a punctuation character in front – "!" for example, to make it "!Nittfagp".

Transform words using by substituting characters for letters - @ or ^ for "a", $ for "s", 3 for "e". The word "Geekspeak" might become "G33k$p3^k."

Do the unexpected with characters and numbers and put them at the beginning or middle of a password instead of the end. LC3 can vary 1-3 appended characters as part of a hybrid attack. LC4 added the ability to work with prepended characters but the cracking process is much, much slower.

Fact

The purpose to set a strong password is to minimize the potential risk of unauthorized access to important data and use of computing resources. The table below can give you some idea of how long it takes to crack different passwords. From there, you can see that it takes 24.2 days to crack a 8-characters password in pure lower case letters and it takes 17 year to crack a 8-characters password in mixed characters. You can see the importance of setting a strong password:

	Total Number of Characters from Which Password is Selected
Number of Characters in Password	26 (lower case letters only - abc)	36 (lower case letters plus numbers - abc123)	52 (upper and lower case letters - AaBbCc)
5	1.98 minutes	10.1 minutes	1.06 hours
6	51.5 minutes	3.74 hours	13.7 days
7	22.3 hours	9.07 days	3.91 months
8	24.2 days	10.7 months	17.0 years
9	1.72 years	32.2 years	8.82 centuries
10	44.8 years	1.16 millennia	45.8 millennia
11	11.6 centuries	41.7 millennia	2,384 millennia
12	30.3 millennia	1,503 millennia	123,946 millennia