Your password must be at least eight characters in length, must include both upper and lower-case letters, and must include at least one non-alphabetic character, or the system will refuse to accept it. For security purposes, a good password should not be a word in any language or a simple modification of a word (e.g. an English word spelled backwards): tYg^O3@b is a nice example (but please don't use it!). (There's a discussion below of what makes a password a good one and why.)
Our system requires you to change your password every 180 days. This is a standard security measure (someone who has managed to obtain the encrypted password file might run a cracking program on it and, after several months, obtain a match for even a relatively good passwords).
One way to devise a password that's easy to remember but hard to crack is to use the first letters of the words in a phrase, with a little extra modification to introduce changed case and non-alphabetic characters. Take this familiar quote, with an attribution:
The unexamined life is not worth living: SocratesTaking the first letter of each word, and including the colon, gives the password "Tulinwl:S". Similarly,
Concepts without Intuitions are empty; Intuitions without Concepts are blind(with German-style capitalization) gives "CwIae;IwCab". And
I think; therefore, I exist.gives "It;t,Ie." (including the period at the end). Of course, these are examples that you should not use; make up your own.
A good password is one that is difficult to guess but reasonably easy for you to remember. Difficulty, in a case like this, is measured by how many possibilities one would have to try in order to be sure of guessing it. For instance, if passwords were numeric and consisted of just two digits, then there would be only 100 distinct passwords, and any password could be guessed in at most 100 tries. Allowing more possible characters makes guessing harder: two-character passwords that include both letters and numbers provide for 36X36=1296 possibilities; add upper and lower case letters, and this becomes 62X62=3844. With 3844 possibilites to try instead of 100, guessing would typically take nearly 40 times as long. But this is the sort of thing computers are extremely fast at; to foil a password cracker, you need far more possibilities. If, on the other hand, we use an alphabet of 10 digits, 52 letters (using both upper and lower case), and 32 punctuation symbols, there are about 6,095,689,000,000,000 possible eight-character passwords. Even for a computer, the time to try out that many combinations is enormous.
One thing to keep in mind is this: it's enormously easier for someone to guess your password if it's an actual English (or Spanish or French or German, etc.) word. This makes it possible for the intruder to do what's called a "dictionary crack". Here's why it's easier. There are about 32,000 distinct English words. That is enormously smaller than the number of 8-character passwords given above. Even using mixed-case English words (e.g. 'PassWoRD') gives you only about 8,000,000 passwords. That may sound like a lot, but there are 750 million times as many possible 8-character passwords that aren't words. Even for a computer, that is a huge difference.
How long it takes to guess passwords
| For passwords consisting of... | there are this many possibilities | Time to crack at 1000 tries/second |
|---|---|---|
| English words | 32,000 | 32 seconds |
| English words, with mixed upper/lower case | 8,192,000 | 2.27 minutes |
| All upper-case letters | 208,827,000 | 58 hours |
| Upper-case letters plus numbers | 2,821,109,000,000 | 89.4 years |
| Mixed-case letters | 53,459,720,000,000 | 1694 years |
| Mixed-case letters and numbers | 218,340,100,000,000 | 6918 years |
| Mixed-case letters, numbers, and 32 punctuation symbols | 6,095,689,000,000,000 | 193,164 years |