Home > AccessID > Badpwd

Categories of Bad Passwords

This information first appeared in MichNet News, Volume 11, No. 1. It is based on copyrighted material (1995) by David G. Beausang, Colorado School of Mines.

I. Passwords should never be:

Any word in any dictionary, in any language
Any formal name or nickname, including spouse's, children's, and pet's
Any mythological or fictional character or race
Any name of a place (city, country, cross roads, forest, or place of natural beauty), real or fictional
Fictional terms
Titles of movies, books, compositions
The name of any author, composer, musician, actor
Any special number
Acronyms
Phrases
Fables or legendary characters or places
Combinations of letters or patterns on the keyboard
Great license plates you've seen, one2nv, 3vom, ibuy4u, or neat word/letter combinations, aTdHvAaNnKcSe
Religious figures, places, or events
Anything you can imagine being collected into a list

Examples of bad passwords include: characters and races from Star Trek, the appendices from the Lord of the Rings, pi, e, and the golden ratio, zip codes, THX1138, names of asteroids, names of bacteria, names of viruses, names of algae, names of fungi, names of beers, transliterated words from the hindu, chinese, russian, yiddish, or any other alphabet, cartoon characters, and a few specifics: letmein, youreok, zorkmid, zorro, wonderbread, upchuck, unixsuck, qwerty, zaq1234, lmnop, klingon, justforthe, hosannah, hesdeadjim, beammeup.

If a password fits in a list, you can presume someone has made up that list.

II. Passwords should never be a simple algorithm applied against something in category I, such as:

The "word" backwards
Substituting numbers for vowels, r1ch2rd for richard
Common substitutions for letters, 3 for e, mov3
Appending or prefixing digits, apple639 or 123apple
Appending or prefixing special characters, apple@ or $klingon

III. Passwords should not contain information that can be automatically gathered by knowing your user name:

Your user name
Your user index/number (for Unix the UID and GID)
User name owner information (for Unix the gecos field) which commonly contains your name
Information derivable from this information: your initials

This category is similar to the first category. However, wheareas category I is static, category III depends on your account information and is dynamic.

IV. Passwords should not contain personal information about you that can be gathered if you are targeted:

Your social security number
Your student ID number
Your phone number, your mother's phone number, your mother's maiden name
Your passport number
Your street address, the address where you were born
Your license plate number
Serial number from your camera, computer, stereo

In summary, a good password needs to be something that cannot be derived in a semi-automatic manner. Categories I-III represent known information or easily derived information that can be exhaustively applied by a computer to break your password. Category IV represents information that would be applied to specifically break your account, as opposed to any account on a machine. While this may seem like a very remote possibility, if you are ever personally targeted, it is potentially much more damaging to you.

Two final tips on password selection. First, make sure you know how many characters the system allows for a password: a good 15 character password may become a terrible password if the system only uses the first 8 characters. [The WSU AccessID password must be at least six but not more than ten characters.] Second, check your password to make sure it doesn't duplicate a bad password: a (usually) good personal password generation algorithm can generate a bad password; the good and bad may be the result of orthogonal approaches intersecting with a bad password. For example, the potentially good password mxvhall would be bad if your name was Mary Xavier Virginia Hall.

Also see:
Methods for Generating Good Passwords
Safeguarding Your Password
Requirements for a WSU AccessID password