| UTORprotect |
Endpoint Security Policy System
Malicious Code
Network Security Policy
Open-Source Firewall
Password Usage Guidelines
Security Incident Reporting
Symantec Anti-Virus
Windows Security Maintenance
Windows Incident Response
Windows Security

Password Usage Guidelines


Password protection has been used for several years to control access to mainframe computer systems. More recently, passwords have also been implemented in the Personal Computer and Local Area Network (LAN) environments.

What is a password? Your computer password is your personal key to a computer system. Passwords help to ensure that only authorized individuals access computer systems. Passwords also help to determine accountability for all transactions and other changes made to system resources, including data. If you share your password with a colleague or friend, you may be giving an unauthorized individual access to the system. What if the individual gives your password to someone else? What if some of your files are deleted or otherwise rendered unusable? Are you willing to take the blame if an unauthorized individual uses your access privileges to damage the information on the system or to make unauthorized changes to data?

Authentication of individuals as valid users, via the input of a valid password is required to access any shared automated information system. Each user is accountable for the selection, confidentiality and changing of passwords required for authentication purposes. Since you are responsible for picking your own password, it is important to be able to tell the difference between a good password and a bad one. Bad passwords jeopardize the information that they are supposed to protect. Good ones do not.

Note: Do not use any of the password examples shown in this document.

Following are some simple rules you should keep in mind about passwords.

  • Passwords should be kept confidential and should never be shared.
  • Passwords should not be written down.
  • Never use the same password twice. In fact, good access control systems prevent you from choosing a new password that is similar to your old one. When you are selecting a new password, choose one that is quite different from your previous password.
  • Passwords should be changed frequently. The shorter the life of a password, the better it is. Some systems force users to change their password at predetermined intervals.
  • Passwords should be at least four characters in length. If the system allows a password longer than four characters, then it is recommended that you use a minimum of six characters. Longer passwords are harder for others to guess.
  • Passwords should contain a combination of alphabetic, numeric and special characters.
  • Avoid using any dictionary words.
  • Passwords should not be trivial, predictable or obvious.

    • Obvious passwords include names of persons, pets, relatives, cities, streets, your LogonID, your birth date, car license plate, and so on.
    • Predictable passwords include days of the week, months, or a new password that has only one or two character different from the previous one.
    • Trivial passwords include common words like 'secret', 'password', 'sex', 'computer', etc.


  • Your password should not be the same as your User/LogonID, an anagram of your User/LogonID or a palindrome of your User/LogonID. If you have access to a number of systems that require the entry of a password, such as a mainframe computer and a Local Area Network (LAN), try not to use the same password for both systems.
  • A good password is relatively easy to remember but hard for somebody else to guess. There are a variety of techniques you can use to choose secure passwords.

    Following are examples of some of these techniques.

    1. Use a word with one or two digits embedded in it.


      HOU32SE, MON42DAY, TAB87LE2

    2. Make up an acronym based on a nursery rhyme, a favourite song or movie, or a sentence.


      MHALL - Mary Had A Little Lamb
      MDHF# - My Dog Has Fleas#
      OTGDY - Only The Good Die Young (Billy Joel)
      TERM2 - Terminator 2

    3. Use a three character pronounceable word suffixed or prefixed with a one- or two-digit suffix or prefix.


      DAM56, WAR34, 56DIG

    4. Make up nonsense words that mean something to you by combining the first syllables of two words. However, avoid using standard abbreviations like "jan, feb, mar, etc." as part of your password.


      PUBPOL - Published Policy

    5. Drop vowels or drop everything but the first 6 letters of a long word or two words.


      CLNDSK1 - clean desk
      DEDICA5 - dedication
      HOMEWO# - home work

    6. Use special characters like #, $, and @. These too, can be inserted anywhere.


      UNI$VER - university

    7. Misspell a word, drop a couple of letters or add some.


      MISTIFI@ - mystify
      CELLEB - celebrate
      RNYDY$ - rainy day

    8. Be creative! And, try to choose a pattern that has meaning for you but that no one else can guess. For example, you might use upcoming events in your life. If you, or one of your children has a major essay to write next month, you might create a password reflecting that event.


      MAJESS - Major essay

      Or if your 4th cousin, twice removed, is coming for a visit you might create a password such as the following one.



    9. Another pattern could be to choose meaningful words with a minimum of 10 letters and always use only the first 6 letters. Then add a special character as one of the characters

      Note: Some systems have restrictions as to which special characters can be used as part of a password. For example, ACF2 will only allow #, @, and $ as part of the password.


      ANNIVE$ - anniversary
      UNBEND# - unbendable
      @UNBEND - unbendable
      UN#BEND - unbendable

  • The best password is one which is a random combination of numeric and alphabetic characters.



  • On systems which allow both upper case and lower case letters, use a combination of upper and lower case characters for your password.



  • Finally, please remember that there is no need to share IDs and passwords. Anyone who needs and qualifies for access to a computer system should submit a request for his or her own LogonID and password.


©2008 - University of Toronto Computing and Networking Services, All Rights Reserved.