Choosing a Secure Password

It is important to choose a strong password that cannot be easily guessed for accessing your online accounts . There are "black hats" everywhere who run sophisticated password guessing software on compromised accounts that are very effective at guessing weak passwords. Here are some guidelines that will help you choose a strong password, helping to keep your account secure.

Password Rules

1. Password Length: The minimum length password on our systems is 9 characters. More is better - each additional character makes it exponentially more difficult to guess by brute force. We recommend a password that is 12-14 characters in length, but require at least 9.

2. Password Complexity: Your password should contain elements from at least three of the following four groups of characters:

  1. Upper Case Alphabetic
  2. Lower Case Alphabetic
  3. Numbers
  4. Special Characters

We require that you use at least three types, but using all four would be even better.

So to meet our requirements, your password needs to be at least 9 characters long, and must include at least 3 of the 4 elements above, but 12-14 characters and including all 4 elements would be even better.

Guidelines for Creating Strong Passwords

The following guidelines will help you create a strong password that has little chance of being compromised

  1. Use the 9 character, 3 element rules. You need to apply these rules in order for any password to be strong.
  2. Do not create a password with repeated characters such as "Dyno1111". Make sure each character is different from the one before and after it.
  3. Do not use part of your username, email address, real name, address, phone number, or any other personally identifiable information as part of your password. Someone trying to guess your password who knows anything about you (perhaps from your Facebook page or some other online source) will use that information to try to guess your password.
  4. Do not use the name of friends, family members, or pets as part of your password, for the same reason as above.
  5. Do not use Dictionary words, or Dictionary words with numbers/sequences of numbers in the front or back. Hackers almost always use "dictionary attacks" to guess passwords, where they try every word in a dictionary.
  6. Do not use foreign dictionary words or proper names. Hackers use many different word lists to try to guess passwords.
  7. Do not use sequences of words/numbers, or keys on the keyboard. asdfg123, ABC987gfe would be examples of sequences that would be easily guessed.
  8. Do not use real words substituting numbers for vowels. V3rt1g0 is an example of this. Most hacking software tries these types of substitutions.
  9. Do not us any of the above in reverse.
  10. Do not use any of the above with a number at the beginning or end.

Guidelines for managing passwords

Here are a few common sense guidelines to help you remember your passwords and keep your online accounts secure

  1. MOST IMPORTANT: Use a unique password for every site. If you use the same password for your bank account as your email and someone guesses your email password they then have access to your bank account as well. Having a different password for every site helps contain the effects of a compromised password.
  2. Change your passwords for all your accounts periodically. Even if you follow all the guidelines above and create strong passwords it's best to change them occasionally. Every change of the seasons, or twice/year is fine. If you don't want to change all your passwords that frequently, at least change them for the more sensitive accounts such as your bank/credit card logins, health insurance portal, etc.
  3. Do not resuse/recycle passwords. When you do your periodic password changes, do not cycle them around, i.e. do not use your old credit card password as your new bank account password.
  4. Do not share your passwords. Keep them to yourself. If you need someone to access one of your accounts for you, change the password after they're done. This is another reason to have a unique password for every account.
  5. Do not write down your passwords, Pieces of paper can be lost or stolen. Writing down your passwords seriously compromises their security. Someone with access to your piece of paper could copy them without your knowing.
  6. Do not type your password while somebody is standing next to you or looking over your shoulder.It's easy for someone to "eavesdrop" on you while you're typing your password, and that's just as good as writing it down for the person. Similarly, when you're at a store or an ATM machine, cover the hand that's typing in your PIN with your other hand so that it's hard to see what you're entering.
  7. Do not ever send a password (or any other sensitive information) in email. Think of email as writing something down on a postcard and then dropping it in the mail - anyone who sees it can read it. While we work hard to keep our systems secure, email travels through several sites on its way to its destination, and nobody can ensure the security of all those sites. There is email encryption software available if you do need to send sensitive information that way, but unencrypted email is not secure.
  8. If you want to use the "remember password" feature of your web browser, make sure you set the master password first, using the guidelines above. If you do not set a master password then remembering your passwords is the same as having no password for your online accounts if anyone ever has access to your computer.
  9. Change your password IMMEDIATELY if you think your account may be compromsied.If you cannot log in then contact your service provider to change your password or disable your account. When we have an indication that one of our users' account is compromised we disable the password immediately and require you to run a virus scan on all computers that have been used to access your account before we reenable the account with a new password.
  10. Consider using a password manager.There are password managers available for Windows, Mac OS, Linux, and mobile devices that will allow you to generate/store/retrieve the passwords for all your accounts using a master password. As long as your master password is secure all your other passwords are protected. Most password managers allow synchronizing your password database on multiple devices.

How to choose a password that is strong, but easy to remember

We've listed a lot of rules for choosing a strong password, and it may seem that it's impossible to choose one that you can remember. If you're not using a password manager, it's very difficult to keep track of random strings of characters. An easy way to choose a password that is strong but that you can remember is to start with a phrase, and use the first letter of each word in the phrase. For example, take the phrase "Diligence is the mother of good luck." Using the first letter of each word, you have "Ditmogl". That's a good start, but it's not long enough and only contains 2 of the 3 elements we want. Let's add some numbers, and change the letter that's capitalized. "di7moG93l". That's something you can remember, but would be very difficult to guess.