Non-Guessable Passwords
Here is a sample set of rules for non-guessable passwords (based on material from the University of Pennsylvania):
Your password should be easy for you to remember but virtually impossible for anyone else to guess. One of the best ways to choose a password that meets both goals is to make up a sentence, then use the first letter of each word as a letter in your password.
- Between 7 and 16 characters
- Not all upper case or all lower case
- Should not contain your username, employee identification number, any part of your given name or any variation of these
- Should not be derived directly from words or phrases of any language. Embedding a number or case-shift within a word does not make a valid password. Systematic password guessing attacks are sophisticated and will routinely 'crack' such passwords. (Examples: time2go, big$deal,\ money$, and 2morrow are not valid passwords.)
- Should not be composed of all numbers. Embedding decimal points, minus signs, or plus signs within a number does not make a valid password. (Example: 1-609-555-1212 is not a valid password.)