Passwords: The Good, The Bad, and The Ugly

There are really only a couple of problems with passwords: Picking a good one, and then managing it. "Good" Passwords avoid being something that an intruder can guess or otherwise easily figure out.

What are Good/Bad Passwords?

Bad Passwords:
• Exactly match a word in the dictionary
• Match a reversed word in a dictionary
• Match a word in the dictionary with some or all of the letters capitalized
• Match a reversed word in the dictionary with some or all of the letters reversed.
• Are shorter than a specific length (usually 6 characters)
• Do not contain a mix of upper and lower case, or mixed letters and numbers, or mixed letters and punctuation
• Are based on the users account name, initials, or given name, or any other info about the user: SSN, license plate number, etc.
• Match a dictionary word with any of the following trasnlations:

  a -> 2, a -> 4, e -> 3, h -> 4, i -> 1, l -> 1, o -> 0, s -> $, s -> 5, z -> 5

• Are conjugations or plurals of dictionary words
• Are acronyms, geographical or product names, and technical terms
• Are either proceeded or followed by a digit, a punctuation mark, up arrow, or space
• Are a word with all the vowels deleted
• Are phrases with the whitespace deleted
• Are all numbers

Good Passwords
• Might be two words seperated by a non-letter non-digit, like 'mac2%beav' or 'cat,bear#'

  (Note that 'go2work' is probably bad... :-)

• Might have non-printing characters, as in helogleep
• Should do none of the Bad things above!

* This excellent list of things to avoid comes from Matt Bishop's "Security Tools" tutorial from the USENIX '96 conference. Any reasonable search engine will turn up lots of hits for Matt's efforts and papers. Worth looking into.