Columbia University in the City of New York
  1. CRF Home

Choosing A Password

Choosing a Password Basic passwords are the foundation of most security today because they authenticate a user to a service. It is important to choose a password that is easy to remember, but difficult to guess. Because most security is based on having a correct password, a ‘weak’ password can be computationally guessed in less than a second and compromise a whole system (potentially affecting many more people than just yourself). Below are some common guidelines.

  • Make sure the password is long (more than 8 characters). Longer passwords are harder to guess.
  • Do not use personal data (names, pets, loved ones, HAM radio call letters, dates, SSN, phone #’s)
  • Mix case (use both upper and lower case letters).
  • Do not use any word found in a dictionary (this cannot be stressed enough).
  • Mix in numbers.
  • Mix in special symbols (&,*%$!@#)({}][). Some systems will not allow certain of these.
  • Weak passwords have low entropy (most characters in it belong to a similar class). Good passwords have high entropy.
  • Do not write your password down.
  • Do not tell anyone your password. You took a long time coming up with it. It’s special – it’s yours. A surprising number of passwords aren’t guessed – they are asked for and given.
  • Change your password if you suspect your account has been compromised.
  • Change your password at a good interval (every 6 months). Some systems force you to.
  • If you log into a remote server, it often tells you the last time you logged in and the IP address you logged in from. Check this information frequently.
  • Remember your password! (use a mnemonic)

There is an additional caveat to choose a different password for every account you have. For most people, this recommendation just isn’t feasible. You have too much to remember already. There are some attempts at compromise listed below.

Additional Information:

Basic passwords are the essential basis of most security systems and software today. There are other stronger forms of authentication, and some alternative ways to store your many passwords so you do not forget them. Much research has shown how dangerous so-called ‘weak’ passwords are, and the remarkable number of weak passwords still chosen.

Stronger Authentication

The authentication process is all about identifying a subject so you can trust them with certain privilages. So, alternate forms of authentication seek to identify a subject without using a traditional password. So-called “smart cards” extend the basic authentication process by adding something you have (the card) to who you are(username) and something you know (password). Other authentication methods involve biometric identification – fingerprints, voiceprints, face recognition. Bruce Schneier points out that biometric authentication schemes have a subtle flaw (besides including some amount of uncertainty) – if compromised, the authentication cannot be changed. This means that if someone stole your thumbprint (or thumb) thumbprint identification would no longer work for you, because it could not uniquely identify you. Finally, some encrypted challenge-response protocols attempt to authenticate both the client and server to each other (rather than the usual case of client to server).

Alternative Ways to Store Passwords (attempt at compromise)

Users are often told to never write down their password, but to make it as convoluted as possible. It is next to impossible to immediately remember a good password. And usually, users become used to typing the password as a combination of keystrokes rather than any concious thought pattern to reproduce the password. Since good passwords are not easily remembered, it (contrary to popular advice) may be easy enough to write down your password and stick it in your wallet. You should definitly never stick it under the keyboard or on your monitor. The advantage of having it in your wallet is easily realized because wallets are seldom left unattended.

A digital scheme similar to this “wallet-storage” method is to encrypt all your account names, passwords, and authentication tokens in some single database on your handheld device that can be examined with a single username and password pair. This is similar to the single sign on mechanism described below. Critics of this approach say that all your authentication mechanisms are then reduced to that single password. It’s a tradeoff. Good luck choosing… (see http://www.zetetic.net/products.html for more information on such a system).

Single Sign On

Since both research and practical experience indicate that having ordinary users remember many different account names and passwords interferes with their productivity, many organizations have gone through a major effort to implement single sign-on technology, whereby one system-wide username and password grant the user access to all the systems the user needs to access. Some application servers (e.g., Tomcat) also implement an optional single-sign on mechanism.

Research on Passwords

Passwords are unequivocally the most pervasive authentication mechanism in use. The subject of password choosing and guessing has been the focus of a number of research projects. Most notably, in 1979, Morris and Thompson found that about 86% of the passwords they surveyed could be guessed in a week’s worth of computer time. More recently, Klein (1990) found that 21% could be guessed in a week. Spafford (1992) found that the average length of a password was 6.8 characters and about 30% were all lowercase. These results indicate that passwords, as currently used, provide a very false sense of security. All an attacker needs is one account.

The New Security Paradigms Workshop last year included several papers and studies that focused on current password trends and proposed new mechanisms for passwords. The website is here and you can find the papers in the conference journal at the ACM digital library (linked from this page).