One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that someone is the person they claim to be is the next step, and this authentication process is even more important, and more difficult, in the cyber world. Passwords are the most common means of authentication, but if you don't choose good passwords or keep them confidential, they're almost as ineffective as not having any password at all. Many systems and services have been successfully broken into due to the use of insecure and inadequate passwords, and some viruses and worms have exploited systems by guessing weak passwords.

Guidelines for Good Passwords
Use these tactics when choosing a password:

• Use both lowercase and capital letters
• Use at least one upper case, lower case, numeric, and special character
• Don't use passwords that are based on personal information that can be easily accessed or guessed. Do not use only words, names, birth dates, etc.
• Don't use words that can be found in any dictionary of any language
• Develop a mnemonic for remembering complex passwords
• Use different passwords on different systems
• At least 8 characters long
• Change every 45-60 days.
• Do not allow recently used passwords to be reused
• Pass phrases are better than pass words

Don't assume that now that you've developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique passwords for each of your accounts.

How can you protect your password?
Now that you've chosen a password that's difficult to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don't tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords.

If your Internet service provider (ISP) offers choices of authentication systems, look for ones that use Kerberos, challenge/response, or public key encryption rather than simple passwords. Consider challenging service providers who only use passwords to adopt more secure methods.

Also, many programs offer the option of "remembering" your password, but these programs have varying degrees of security protecting that information. Some programs, such as email clients, store the information in clear text in a file on your computer. This means that anyone with access to your computer can discover all of your passwords and can gain access to your information.

Additional Resources
HANDOUT: National Cyber Alert System Tip: Choosing and Protecting Passwords