Good Passwords

As attackers get more sophisticated, it becomes increasingly difficult for users to create good passwords. On your registration page, you may consider providing recommendations to users for setting up good passwords on the registration form.

Suggestions for Site Developer

  1. Allow all keyboard characters including space.
  2. Require a minimum of 8 characters (consider more).
  3. Provide a password strength meter as the user types.
  4. Provide a show password option. This is especially useful for responsive websites where users may enter the password on a mobile phone. Default to show asterisks, but provide a way to see or verify the password. Be sure to add a cautionary statement.
    1. See as you type. This changes the asterisks to characters. Example: “Show password as I type. Use only if no one can see your screen.”
    2. Verify once complete. A client-side script opens a pop-up which shows the password entered. Example: “Show password in pop-up. Use only if no one can see your screen.”
  5. Provide a link to user password guidelines (sample below).

Instructions for Users

You may wish to recommend to users something like the following guidelines for creating passwords.

Tips For Good Passwords

Password-cracking techniques have advanced quickly. It is important that you take precautions with passwords and consider using a password manager. If you choose not to use a password manager, here are some suggestions when creating passwords.

Do Use

  • a different password for each account
  • lower case letters (a b c d…), upper case letters (A B C D…), numbers (1 2 3 4…), symbols (! @ # $…), and space (some logins may not allow symbols or space)
  • first letters of a phrase or sentence: in Joe’s store I bought 10 eggs for $2 each = iJs ib10ef$2e
  • a phrase: I have 5 fish: Sue & Ted
  • How to Create a Password You Can Remember

Don’t Use

  • identity information like name, phone, pet names, nicknames, birth date, address, or driver’s license number.
  • dictionary words in any language especially the word password which is commonly used.
  • words spelled backwards, abbreviations, and common misspellings.
  • common letter-to-symbol conversions such as changing i to 1, 3 to E, s to $.
  • sequences or repeated characters. Examples: 1234, 2222, abcd, or adjacent keyboard letters (such as asdf).
  • the same password on different logins; especially don’t use your email account password for other websites.