Article Posted by Mark Weatherford, Director and Chief Information Security Officer, Office of Information Security

Your password is more than just a key to your computer or online account. If your password falls into the wrong hands, it’s easy for Bad People to impersonate you online, tinker with your bank accounts, sign your name to online service agreements or contracts, engage in financial transactions, or even change your account information.

Find out how much you know about safe password practices by taking this quick quiz.

Q1. How often should you change your password?

  1. Every 30 days
  2. Every 60 days
  3. Every 90 days
  4. When IT tells you to

Q1 Answer: (a) – And the more often you replace your strong password with another strong password, the better. What’s a "strong" password? Read on.

Q2. One of your co-workers is working on a critical report this weekend and needs access to some of your files. How should you give her your password?

  1. Send it in an email message
  2. Call her on the phone and tell her the password
  3. Don’t give it to her or anybody else
  4. Write it on a piece of paper, seal it in an envelope, and mail it to her

Q2 Answer: (c) – If she needs access to your files, call your IT department and ask them to give her access without the use of your password.

Q3. What is the most common (and so the weakest) password used in 2009?

  1. password
  2. 123456
  3. qwerty
  4. abc123

Q3 Answer: (a) – Actually, the list is in order, according to PC Magazine.* If you are using these passwords or anything like them, you might as well just give people access to your computer or your bank account.

Q4. What characters should you use in a password to make it strong?

  1. Letters only
  2. Numbers only
  3. Letters and punctuation
  4. All of the above

Q4 Answer: (d) – The more complex a password is, the harder it is for a person to guess it. Some systems and websites may not allow you to use all of the punctuation symbols, but most allow some of them.

Q5. How long should a strong password be?

  1. Five characters
  2. Eight characters
  3. As long as possible
  4. Size doesn’t matter

Q5 Answer: It depends! For technical reasons, a minimum length of 8 characters is recommended. But not all eight-character passwords are equally strong. For example, "football" wouldn’t be hard to guess, but guessing the 8 characters of 7xkM*vh$ presents a real challenge.

Q6. Now that you are an expert, choose the strongest password from this list:

  1. Mickey.Mouse
  2. M1ck3y.m0u53
  3. 3.1416**
  4. Ad@46-Hiz
  5. Aristotle

Q6 Answer is (d). (a) is obviously easy to guess, even though it’s long enough; (b) is "hacker-speak" for Mickey Mouse – a bad idea; (c) contains no letters – and it’s the approximate value of Pi; and (e) is a proper name.

Strong password checklist

  • at least 8 characters
  • at least one number
  • at least one uppercase and one lowercase letter
  • at least one symbol (examples: &, !, @, #, $, ^, *)
  • no proper names or words (English or otherwise)
  • no personal information, like your SSN, phone number, or date of birth
  • no repeating characters
  • no easy-to-guess patterns like 123qwerty
  • no well-known mathematical values (like Pi) or equations (E=mc2)

Tips

  • Treat passwords like your toothbrush: Choose a good one and replace it regularly.
  • Change your passwords at least every 30 days.
  • Use a passphrase. Choose an easily remembered phrase like "Liberty and Justice Forever" and use the first one or two letters of each word with some punctuation and numbers in between. Example: Li.an1Ju*Fo.
  • Use a password pattern. Pick a starting point on the keyboard, trace out an easily remembered pattern, and add some twists. Example: The eight-character pattern 1qscvhU* describes a "V" on your keyboard starting with the number 1 key, with the added twists of an uppercase U and an asterisk.