How Not to Choose a Password

attributed to Joe Sanjour, Andrew Arensburger, Anne Brink

Choosing overly simply or commonplace passwords is extremely dangerous. Automated attacks from across the internet attempt to force their way in using common username/password combinations at the rate of thousands of attacks per day.

Here are some of the types of passwords that will be picked up by crackers:

• Words in the dictionary.
• Words in any dictionary.
• Your user name.
• Your real name.
• Your spouse's name.

• Anyone's name (crackers don't necessarily know that your aunt's middle name is Agnes, but it's easy enough to get a list of 100,000 names and try each one).

• Any word in any ``cracking dictionary.'' There are lists of words that crackers use to try to crack passwords: passwords that a lot of people use. Some of these lists include:

• Abbreviations, Asteroids, Biology, Cartoons, Character Patterns, Machine names, famous names, female names, Bible, male names, Movies, Myths-legends, Number Patterns, Short Phrases, Places, Science Fiction, Shakespeare, Songs, Sports, Surnames

• Any of the above, with a single character before or after it (8dinner, happy1).

• Any of the above, capitalized (cat $\rightarrow$ Cat)

• Any of the above, reversed (cat $\rightarrow$ tac), doubled (cat $\rightarrow$ catcat) or mirrored (cat $\rightarrow$ cattac).

• We used to tell people that taking a word and substituting some characters (a 0 (zero) for an o, or a 1 (one) for an l (el)) made a good password. This is no longer the case. New crackers have the capability to crack things like this, in certain situations.

• Words like foobar, xyzzy and qwerty are still just plain words. They are also popular passwords, and the crack programs look for them. Avoid them.

• Any of the sample passwords, good or bad, mentioned in this document.