So what makes a good password?
This is a common question we get asked particularly at the beginning of the month when many on campus are preparing to change their password when they come due for the annual password change required to maintain their Allegheny network account.
ITS defines a good password as
- being of reasonable length (at least 14 characters)
- has some complexity
- is memorable
- unique from other passwords
- is not easily found
- is changed at least once a year
NoticeYour username and passwords are the keys to your digital life. It is in your best interest to use good passwords and have a unique password for each of your accounts.
Reasonable Length – Allegheny account passwords must be at least 12 character. We encourage them to be longer. The greater the length of a password the longer it will take for software to crack it.
For example: Consider the following estimates of how long it would take to crack an letter only password.
- a seven letter password is likely cracked in under a minute
- a nine letter password is likely cracked in twenty two minutes
- a twelve letter password would take roughly 9 months.
TipLength matters when it comes to passwords.
Complex – By adding complexity combining upper and lower case letters, numbers, and/or non-alphanumeric characters, the estimated time to crack increases exponentially.
For Example: consider what happens to the estimated time to crack a 12 character password when you
- Replace one letter with a number and 9 months jumps to 37 years
- And then Capitalize one of the letters and now it takes 25 thousand years
- And then replace a letter with a special character and it would likely take 344 thousand years.
If you were to add a special character (making it a thirteen character password) you would be looking at 26 Million years.
CommentAgain, length matters. Complexity matters too. Balancing complexity, length, and remember-ability is the key. If a password is long and complex, but you have to write it on a Post-it note stuck to your monitor or keyboard, its value is suspect. A memorable password is most important.
*estimates on time to crack come from howsecureismypassword.net.