A password must be impossible for someone to guess, and it must be kept secret. A simple password is almost as bad as not having one at all!
- If a program or system comes with a default password, do not use that password! Always change the default password, and also change the default username if you can.
- A password should not be a word, a word spelled backwards, a series of words, or a sentence which appears in any dictionary or book of any language. Reasoning: Hackers use computer programs and dictionary files to generate millions of passwords, then try to access your computer, email account, bank account, etc. using those passwords.
- A password should not contain your phone number, date of birth, year of birth, home or work address, credit card number, email address, husband/wife/boyfriend/girlfriend/pet’s name, etc.
- A password should not be a series of consecutive digits, letters, or keyboard keys. e.g. The following passwords are not safe: 123456, abcdef, QWERTY, ASDFGHJK, QAZWSX.
- A password should be 10 or more characters long, and include some UPPERCASE letters, some lowercase letters, and some digits, but not necessarily in that order! For extra security, use some punctuation characters too! Note that many websites and computer systems have their own minimum and maximum password limits. On some systems, passwords are case-insensitive, and some have rules about what characters can and cannot be used within a password, so clearly you’ll need to abide by those rules on a per-system basis.
- For passwords that are only set-up once or rarely changed, e.g. the WPA PSK password used inside a wireless router and inside all the computers that are connecting to that router wirelessly, seriously consider using a much longer password, e.g. 20 or more characters long.
- Avoid using the same password in multiple locations, e.g. email, instant messaging, social networking sites, etc. i.e. Try to have a different password for every computer, website, or account that you use. One simple method of creating strong passwords that are different for different websites is to memorize a random password like above, then add the first (or last) character of the domain name, as the first (or last) character of your password.
- If possible, avoid using the same username in multiple locations. Many systems allow you to choose your own username. Try to use different ones in different places.
- Change your passwords every year or so. Reasoning: This lowers the chance of someone being able to use a password of yours that, for example, they come across in an old computer that you or your bank has thrown out. It also lowers the chance of your account being exposed when a dishonest ex-employee decides they’re going to sell the client database to a competitor or criminal organization.
- Do not tell your workmates, friends, or relatives your passwords. If for some reason you do need to tell someone your password in order to help you do something, then change it immediately after they’re finished.
- Do not write your passwords on a scrap of paper stuck to your computer, nor in a book stored anywhere near your computer.
- When creating a “Login” page for your own website, make sure the page includes a CAPTCHA 驗証碼 which stops robots from performing a brute force password attack. (A “CAPTCHA 驗証碼” is a challenge-response problem which is difficult for a computer to solve, thus stopping spam robots using your contact page to spam you.)
|Copyright © 2009 Andrew White
|Created: 12 Aug 2009
|Page authored by Andrew White
|Updated: 26 Aug 2019
password strength meter, strong passwords, weak passwords, Password Security, password length, password strength, default password, default username, hackers, dictionary files, random characters, WPA PSK, WPA PSK password, 電腦安全指點