Passwords are, by nature, something that we continually can improve upon, but strong passwords don’t need to be something difficult to remember.
While we provide some general password guidance below, be aware that some IT services may limit the password size, character set, or password complexity that must be used, e.g. some of your passwords may need to include a capital letter and a number, or symbol character, or not allow a space.
Based on lessons learnt over the years we know that it is the length of the passphrase, rather than the complexity, which is the most important aspect for reducing risk of your password being compromised. Therefore, we recommend the following for passwords that you need to remember (i.e. ones you use frequently, such as your University account’s password):
- Use a passphrase made up of four or more unrelated but memorable/picturable words or symbols, for example:
telephone mouse pirate rain
- While the minimum length is often eight characters, we recommend that it should be 12 or longer which is easily achievable with three or four words
- You should keep the spaces or change them to a different character where possible, for example / or = as this makes the password stronger
- If you can use a word out of a different language this will also improve strength, e.g. maus instead of mouse
Ultimately, 16 letters are much better protection than eight, no matter how complex the password. The more words you use, the more secure your password.
DO NOT use:
- One or two dictionary words with a number or symbol (e.g. computer123, keyboard sequences, e.g., 123456, qwerty123, or qazwsxedc), or personal information such as your date of birth or names of family members, pets, etc.—with new tools, technology, and the wealth of personal information on social media, these are now extremely weak. A home computer with easily available software can now try billions of combinations per second to discover or crack a password like this in a very short time
- "Random" password-generating software or websites (e.g., Passwordsgenerator.net) or enter your University password into anything but the University services and password change systems.
- The same password across different services
Contact AskOtago if you have any questions about creating a strong password: