This is not a guide to choosing the best password in the world, and protecting it like it's your PIN number or your life. We realise that if you had to pick unique, extra-long, extra-strong passwords, for all the systems you use, and change them very regularly, and couldn't write them down... that you'd go insane. But, that's no excuse for using the name of your dog, 'password', or a string of expletives with a 1 on the end.
If anything in this document is unclear, or it takes you more than a few minutes to read it, digest it, and come up with a good new password, let rpfuller know, as it obviously needs to be made more simple.
What you Should Not be Doing
Most people are aware of the most obvious choices of password
(if you are using the names of any of your family, please change
your password now!)
However, because of the availability of automated
password-cracking programs, you should also avoid the
following:
Any word which appears in a dictionary (including highly
technical words from your own discipline.)
Common first names, your surname, names of pets and literary
characters, dates of birth.
Your editor name or car registration number.
Passwords of less than seven characters (shorter passwords are
easier to crack.)
Any dictionary word slightly modified (e.g. by adding a number
to the end, or changing l to 1.)
Simple sequences such as QWERTY, LETMEIN, the name of your
department or group, or an obvious name spelt backwards.
What you Should be Doing
A recommended technique for choosing passwords which are hard
to crack but possible to remember is:
Choose a short sentence or phrase which makes sense to you (but
is not a common saying or proverb), use its initial letters and
insert a number or punctuation (preferably both) somewhere in the string. Note
that you can mix upper and lower case to make any
passwords harder to crack.
Important
If you have an 8 character password, which contains at least any three of upper case, lower case, numbers and punctuation, which doesn't look like a word or your username, you're probably doing well enough. Aim for that.
However long a password you enter, only the first 8 characters count. Make them secure. research#$543FJ,eruU"$%! is as easy to crack as research. Yes, that's not very good, but that's the way it is at the moment.
Putting a number on the end of a rubbish password doesn't make it a good password. Nor does a single punctuation mark. It's not big and it's not clever. It's extra-especially unclever if the rubbish password is 8 characters or more. (Given number 2.)
Make every effort never to share your password with anyone. If it's written down, make sure it's not for public consumption on the bathroom wall. Don't save your password on a public computer, or a computer whose administrator you do not trust. Do not tell anyone, including ODP metas, administrators, and staff, your password, even if they request it. (Please notify the ODP administrative team if anyone does request your password, however convincing their need sounds.)
If someone can access your e-mail account they can get your ODP password. Make sure you give at least the same level of security consideration to your e-mail password, or there's really no point.
Use a different password for each of dmoz.org, ODP::Passport, Resource Zone, and your shell account on research.dmoz.org. Never supply any of these passwords to a third party or editor-produced tool, however attractive the features of the tool are. (Please notify the ODP administrative team of any third party/editor-produced tool that requests these passwords.)
Any passwords that you use for ODP systems should be different to all other systems. If you want to use the same password for the dozens of news sites that make you register to read the headlines, please go right ahead, but don't use the same password for the ODP, as we do have data that should not be shared, and if it gets leaked under your user account, it's your responsibility.
Never re-use an old password, ever. Never use a password given as an example of a good password. (Nor one given as an example of a bad password. :-P) Never use an online password generator or pick a password from a list online.
More Information
If you want a lot more advice and a lot more detail, you can't go far wrong with the relevant DDP article. Last update: 2004-11-04
