Choosing and Protecting a Password
This is not a guide to choosing the best password in the world, and protecting it like it's your PIN number or your life. We realise that if you had to pick unique, extra-long, extra-strong passwords, for all the systems you use, and change them very regularly, and couldn't write them down... that you'd go insane. But, that's no excuse for using the name of your dog, 'password', or a string of expletives with a 1 on the end.
If anything in this document is unclear, or it takes you more than a few minutes to read it, digest it, and come up with a good new password, let rpfuller know, as it obviously needs to be made more simple.
Most people are aware of the most obvious choices of password (if you are using the names of any of your family, please change your password now!)
However, because of the availability of automated password-cracking programs, you should also avoid the following:
- Any word which appears in a dictionary (including highly technical words from your own discipline.)
- Common first names, your surname, names of pets and literary characters, dates of birth.
- Your editor name or car registration number.
- Passwords of less than seven characters (shorter passwords are easier to crack.)
- Any dictionary word slightly modified (e.g. by adding a number to the end, or changing l to 1.)
- Simple sequences such as QWERTY, LETMEIN, the name of your department or group, or an obvious name spelt backwards.
A recommended technique for choosing passwords which are hard to crack but possible to remember is:
- Choose a short sentence or phrase which makes sense to you (but is not a common saying or proverb), use its initial letters and insert a number or punctuation (preferably both) somewhere in the string. Note that you can mix upper and lower case to make any passwords harder to crack.
- If you have an 8-16 character password, which contains at least any three of upper case, lower case, numbers and special characters, and which doesn't look like a word or your username, you're probably doing well enough. Aim for that.
- Make every effort never to share your password with anyone. If it's written down, make sure it's not for public consumption on the bathroom wall. Don't save your password on a public computer, or a computer whose administrator you do not trust. Do not tell anyone, including ODP metas, administrators, and staff, your password, even if they request it. (Please notify the ODP administrative team if anyone does request your password, however convincing their need sounds.)
- Use a different password for each of dmoz.org, ODP::Passport, Resource Zone, and your shell account on research.dmoz.org. Never supply any of these passwords to a third party or editor-produced tool, however attractive the features of the tool are. (Please notify the ODP administrative team of any third party/editor-produced tool that requests these passwords.)
- Any passwords that you use for ODP systems should be different to all other systems. If you want to use the same password for the dozens of news sites that make you register to read the headlines, please go right ahead, but don't use the same password for the ODP, as we do have data that should not be shared, and if it gets leaked under your user account, it's your responsibility.
- Never re-use an old password, ever. Never use a password given as an example of a good password. (Nor one given as an example of a bad password. :-P) Never use an online password generator or pick a password from a list online.