Poor, weak passwords have the following characteristics:

• Password contains less than 8 characters

• Password is a word found in a dictionary (English or foreign)

• Password is a common usage word such as:

ü  Names of family, pets, friends, co-workers, fantasy characters, etc.

ü  Computer terms and names, commands, sites, companies, hardware, software.

ü  The words "Company Name", "Microsoft", "microsoft123" or any derivation.

ü  Birthdays and other personal information such as addresses and phone numbers.

ü  Word or number patterns like aaabbb, asdflkj, abcdefg, 123321, etc.

ü  Any of the above spelled backwards.

ü  Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

ü  Passwords must contain any recognizable part of the user’s name. like username=ABC@1234 password=ABC

ü  Repeating characters like “MS1111”, DELL2222, a110011 etc.

ü  Passwords must not match any portion of your full name.

Strong passwords have the following characteristics:

·         Passwords must be at least 8 characters long and contain all of the following: 

o   Letters: upper or lower case (A,B,C,…Z: a,b,c,…z)

o   Digits: (0,1,2,3,…9)

o   Intersperse punctuation marks or symbols such as #, !, %, etc.

·         Use passphrase (“My password is Strong enough for 1 year”=” MpiSef1y”).

·         Are not a word in any language, slang, dialect, jargon, etc.

·         Are not based on personal information, names of family, etc.

·         Passwords should never be written down or stored on-line.

Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "My password is Strong enough for 1 year" and the password could be: "MpiSef1y" or” MpiSef1y ~" or some other variation.

Here is a list of "don’t":

Ä      Don't reveal a password over the phone to ANYONE

Ä      Don't reveal a password to co-workers while on vacation

Ä      Don't reveal a password in an email message

Ä      Don't talk about a password in front of others

Ä      Don't hint at the format of a password (e.g., "my family name")

Ä      Don't reveal a password on questionnaires or security forms

Ä      Don't share a password with family members

Ä      Don’t transmit User names and passwords together in an unencrypted format.

Ä      Don’t add your passwords in Trouble tickets.

Ä      Don’t Store Passwords in readable form in batch files, automatic log-in scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover them.

Ä      Don’t use vendor/mfg supplied default passwords.

Ä      Do not use a password that you are using for some other purpose, such as your PIN at the bank or your password to another system.

Useful tips

·       All accounts (including service accounts, IIS anonymous user accounts and administrator accounts) must be configured to require password changes at least once every 70 days.

·       Passwords must be significantly different from prior passwords.  Users must not use “recurring” passwords, i.e., passwords that contain the same basic content as previous passwords, but with only a part of the content changed. Pwd1=ABC@12 pwd2= ABC@123, pwd3= ABC@1234 etc

·       Passwords must be promptly changed if they are suspected of being known by unauthorized individuals.

·      Group policies enabling checks for password complexity requirements and password history (24) must be enabled for all accounts.