Passwords and Passphrases

Passwords and passphrases are an important aspect of computer security. They are the front line of protection for mail accounts. So, you should take the appropriate steps to select and secure your passwords because a poorly chosen password may result in the compromise of your email account.

Password

A password is a set of characters known only to you which must be provided in order to gain access to your email account. A password is very much like a key, without it the door remains locked. A password proves that you are who you say you are.

General Password Construction Tips

These are the specific rules to which your password must conform in order to be accepted as a strong, good password. These rules will make it more difficult for someone else to guess your password.

Strong (acceptable) passwords have the following characteristics:

• Contain both upper and lowercase characters (e.g., a-z, A-Z).
• Contain digits and punctuation characters as well as letters (e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:?;i'<>?,./).
• Are at least eight alphanumeric characters long.
• Are not words of any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Try to create passwords that can be easily remembered. One way to do this is creating a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W> r~" or some other variation.

Poor, unacceptable passwords have the following characteristics:

• Contain less than eight characters.
• May be found in a dictionary (English or foreign).
• Are words of a common usage, for example, names of your family, pets, friends, co-workers, fantasy characters, etc.
• Represent computer terms and names, commands, sites, companies, hardware, software.
• Are acronyms for the agency or city.
• Are birth dates or other personal information like addresses and phone numbers.
• Are word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
• Are any of the above spelled backwards.
• Are any of the above preceded or followed by a digit (e.g., secret1, 1secret).

Easy Ways to Choose a Good Password

• Use good password generator software and don't let anyone know that you are using it, it's better to use several good password generators and combine the results randomly.
• Use the first letter of each word from a line of a song or a poem.
• Alternate between one consonant and one or two vowels to produce nonsense words. e.g. "taupouti".
• Choose a couple of short words and concatenate them together with a punctuation or symbol character between the words. e.g. "seat%tree"
• Put one or more punctuation marks or symbol character in the middle of a long word. e.g. "h&leb@rs" (handlebars)

Passphrases

A passphrase is a bunch of words and characters that you type in to your mail account to let it know for sure that the person typing is you. Some accounts allow you to enter a passphrase instead of just a short password for a better protection against attackers.
Passphrases differ from passwords only in length. Pass words are usually short - six to ten characters. Passphrases are usually much longer - typically 20 to 40 characters, sometimes even more. Because of that, a passphrase is more secure against "dictionary attacks".
Short passwords are OK for logging into system that detect a large number of incorrect guesses, but they are not safe for the other system such as public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by everyone and the private key that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access and encrypt/decrypt or sign your email message.

Choosing a good passphrase is one of the most important things you can do to preserve the privacy of your computer data and email messages. Good passphrase is relatively long and, like a good password, contains a combination of upper and lowercase letters and numeric and punctuation characters. Here is an example of a good passphrase:
"The*?#> *@TrafficOnThe101Was*?!#ThisMorning."
All of the rules above that apply to passwords apply to passphrases.
A passphrase also should be:

• Known only to you.
• Hard to guess even by someone who knows you well.
• Easy for you to remember.
• Easy for you to type accurately.

Password Protection Standards

The security of your mail depends not only on the quality of the password you choose but also on how your keep and protect it.

Here is a list of "don'ts" for passwords/passphrase:

• Don't share passwords/passphrase with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential information.
• Don't reveal a passwords/passphrase over the phone to ANYONE.
• Don't reveal a passwords/passphrase in an email message.
• Don't reveal a passwords/passphrase on questionnaires or security forms.
• Don't reveal a passwords/passphrase to co-workers while on vacation.
• Don't talk about a passwords/passphrase in front of others.
• Don't give a hint about the type of a passwords/passphrase (e.g., "my family name").
• Don't share a passwords/passphrase with family members.
• Don't store a passwords/passphrase in an obvious place that is accessible to others.
• Don't use the "Remember Password" feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
• Don't write passwords/passphrases down and store them anywhere in your office.
• Don't store passwords/passphrase in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
• Don't use the same password for your email account as for another non-mail access like your PIN at your bank or password for your ISP account, etc.