Practical Advice On Choosing Good Passwords

This is Part Three in my many part series on IT Security In Libraries. In Part One I tried to lay the foundation for security. Last time we talked privacy, and today it's passwords.

A comment on an LISNews post from last week asked me about passwords. It seems like such simple, obvious topic, but when you stop and think about it, passwords are difficult, and a good answer does indeed take 1,399 words.

Do you always use unique passwords? Are those passwords always "strong"? Does your library's web presence require strong passwords for all users? Do you have password recommendation clearly posted on your web resources for your users? What makes a good password? Are complex passwords the most secure? Is it uniqueness? Is length the most important thing in a password? I'll start by saying the single most important thing is uniqueness, never reuse a password on everything.

Password Reuse

Using the same password for everything is THE WORST thing you can do. If you learn just one thing from this post make sure it's password reuse is dangerous. Doing this will allow anyone who gets your password from an insecure site (and the chances of this happening are probably higher than you'd think) to use it elsewhere. Your password could have been taken from any number of large data breaches and you'd never know it. When these big hacks happen the only thing saving you from becoming an easy target is having a unique password. It's easy for a hacker to use your email address and password taken from a site like Gawker and use it as a starting point to cause some serious trouble.

How Did They Get Those Passwords?
So you probably wonder about how people are going to get your passwords. It's rather easy for a talented hacker, and even easier to use automated tools to scan thousands of sites looking for vulnerabilities that would allow anyone with time to get your password from a site with a hole. Those usernames/passwords can then be sold to the highest bidder.
1. Ask: aka. Social engineering. They'll just call the helpdesk and ask to have it reset.
2. Guess. Have your birthday on Facebook, your pet's first name? That may just be enough.
3. Bruteforce. It's trivial to have something that can guess millions of possible passwords in no time. (Your websites should never allow brute force attacks.)
4. Dictionary. Passwords follow predictable patterns and those are always tried first.
5. SQL Injections and other common vulnerabilities in websites.

What Makes A Good Password?
So what makes a good password? In short, length and complexity. If you think about it, a password is really weak security. If you're in charge of setting the password policy for your library, you have decisions to make. Should you force people to use complex and unique passwords? Anytime you change up security policies people will look for ways around it. Enforcing strong passwords is no exception. Even when your users are forced to use "good" passwords, they'll do something like choose all the characters on the left side of the keyboard. They will turn the seemingly secure restrictions into EASY passwords and make your network even LESS secure. Somehow your new security policy just made everyone's password easier to guess. Those passwords are not strong and can be easily bruteforced/rainbowed/dictionaried because they are commonly used and will be guessed first in an automated attack. A truly strong password is darn hard to remember and that's the problem for all of use with more than a few passwords.

What makes a bad password?
We have interesting stats on passwords thanks to some major hacks. In short, people choose bad passwords. They choose passwords that are short, all lower case, not random, they're in the dictionary, they have no special characters, they're found in password dictionaries, and worst of all, they'll reuse the same password again and again across sites. That stats link has 3 interesting conculsions:
1. Passwords are inspired by words of personal significance or other memorable patterns.
2. Attempts to obfuscate or strengthen passwords usually follow predictable patterns.
3. Truly random passwords are all but non-existent – they’re less than 1% of the data set.
Don't use any part of your username in your password. Don't use any members of your family's names. Avoid keyboard sequences, any real words, any real words with just a number tacked on either end, or any real word, just reversed.

Should You Change All Your Passwords Every 3 Months?
Before I cover some recommendations, I'll ask, how often do you change your password? Is changing your passwords every 3 months a good idea? Is forcing your users to change their password every so often a good idea? I'll stick my neck out and say, in general, no, changing your passwords every so often isn't going to help things, with one exception: network or server logins. Network and server passwords should probably be changed every so often. I'll explain why by first explaining why other things probably won't matter. Say for example your bank... Your money is gone if anyone gets your password, you'll notice that right away. You'll only need to be change that one if it's taken along w/ all your money. Your email? Chances are good if someone gets your email password they'll start causing trouble right away. Hopefully you'll be able to change it back and lock them out. In general: you don't need to regularly change the passwords you use, UNLESS it's to something like a network or a web server. The bad guys can just sit and wait once they've gotten into your network or your web server. They don't need to do anything that will be instantly obvious like an empty back account. It may be good practice to change those types of passwords on a regular basis.

But I Can't Remember All My Passwords!
If you're like most people you probably have user accounts on what seems like an infinite number of sites. This makes using a unique password for each site next to impossible. PC Magazine recently did a nice round up of some of the many tools that can help you with this. If all that seems like too much, at the very least, have one easy to remember password for most common and unimportant websites. Then have a second password for things like facebook and twitter or other somewhat more important sites. Then have a third good solid password for banks & other super important things. If you have the same password for your network login at work and your account on LISNews, you're doing it wrong. There are entire classes of websites for which you should simply pretend that your password is already public because you just shouldn't trust them. You may also want to use a passwordcard, another simple idea to help you remember your passwords. Also, check out Diceware, Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Something similar, “Off The Grid” (

Choosing A Good Password
Passwords don't necessarily need to be hard. Pick a good memorization strategy, pick a good password, and you'll be on your way to being more secure.
Choose NON obvious, NON dictionary passwords. If we assume someone has time to just sit and guess your password on a system, they will check common passwords first, then they check a dictionary. Since they don't know your passwords, they look for the easiest guesses first. Given enough time, and if they are persistent enough, they will just start throwing every possible combination of letters, and then numbers, and then letters and numbers, and so on. So after using things that aren't common, the most important thing is length. There's no different between a simple long password as a complex long one as far as guessing goes. So start with an easy to remember password, then pad it with something else easy to remember. So get your own password and pad it. But don't just use Password1 as this is easily guessed, and don't pad by easily guessed numbers. The password plus padding shouldn't be easily guessed or obvious. E.g. most common (therefore easily guessed) padding is done by adding a 1,2,3,4 at the end of some word. This increase in length and complexity defends against Brute Forcing. We get protection by adding more digits because they need to guess every possible combination of everything up to that length, each digit adds A LOT of time required. If you use special characters and upper/lower case you add even more time because they know most passwords are all lower case numbers. Some places will allow the use of spaces in your password, which gives you the opportunity to use a pass phrase e.g. Correct Horse Battery Staple.

Simple Things Make a Good Strong Password
At least 1 Uppercase
At least 1 Lowercase
At least 1 Number (And don't put those numbers on the end)
At least 1 Something else (*%[email protected]!-+=)
Make it as long as you can

Are complex passwords better? Well, maybe. Longer passwords are better, no doubt. If we knew exactly what each password was defending against, we would know what kind of password to choose. You have no idea how your passwords are stored or shared. Given enough time any captured password can be broken. Remember, we don't know HOW people are going to get your password. Given enough time and resources any password can be guessed. BUT, that is no excuse to not use a good password, because chances are good no one will have the time and resources to crack a good password.

One more random piece of password changing advice, if you break up with someone who knew your passwords, change them all.


I recently migrated about a dozen small libraries from one email server to another and I needed all the passwords to make this happen. It was interesting to see how these different libraries handled passwords. Every library clearly had different approaches to passwords. One library had every email address use the same password. Most of them just had rather weak passwords, and I would assume, no real policies in place. A couple of those libraries must've had some good training because the passwords all looked pretty darn good. e .g. MyB00k5AreFree (Can be read/remembered as My Books Are Free) (note: this is not a password I've ever seen or used)
Just a reminder to try and put some kind of password policy in place if you can.

At Indiana University, we didn't use passwords. We used passphrases : at least four words of alphabetic characters separated by nonalphabetic characters. Easier to remember, longer to crack.

As mentioned here already, see the xkcd link for the truth about passwords. Complex short passwords are easy for a computer to crack, whereas a passphrase is longer and thus has more entropy bits to compute (if trying to brute force crack). In short, passphrases are harder for a computer to crack and easy for a user to remember. Stop spreading password "advice" that really has no basis in the cold hard facts of math.

Great link to xkcd. I try and use passphrases for all my passwords ever since someone hacked into my Yahoo account a few years ago. I haven't had any problems with any of my accounts since switching from passwords to passphrases.

Here at our library, our IT person refuses to change the log-in passwords on the computer and the log-in is the same for all the public computers which makes me want to bang my head. I manually changed the password on my computer at my desk to some gibberish passphrase that means nothing to no one but me and if anyone can crack it then they deserve a medal and a salute.

Passphrases are great when the system you are using allows them. Too many sites and services though set all sorts of limits and rules about passwords that make it difficult if not sometimes impossible to use passphrases ("password must have at least none number (or one symbol), etc.)

Add new comment

Plain text

  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.