Cornell University

Technology Services

146 Ives Hall, 607-255-5484

Password Complexity on Home Computers

The weakest link in computer security efforts is generally your password. Although we spend lots of time protecting computers and servers against hackers, one of the biggest security holes is easily-guessed passwords. A basic password cracking program can deduce a dictionary or name-based password in seconds.

Many people do not feel that their password is important because they do not feel that their data is important or of value to anyone else. There is more at stake than just your personally owned data. Once someone has access to your password, they can gain access to all of your personal documents and email stored on your computer. They could install software on your system and use it and your bandwidth to illegally distribute protected/copyrighted materials. They could gain access to all shared files on network servers where information is stored that is protected by Federal privacy laws and by Cornell privacy policies. The responsibility for security of data begins at the source, which could be you, and extends all the way to deans and the President of the university.

To protect you and the University from unauthorized access to institutional resources and data, ILRTS recommends you follow the same password complexity policy we've created for ILR-owned computers on your home computers.

Your computer account password should meet the following requirements:

  • is at least 7 characters
  • contains at least three of the following four character groups:
    • English uppercase characters (A through Z);
    • English lowercase characters (a through z);
    • Numerals (0 through 9);
    • Non-alphabetic characters (such as !, $, #, %, a space)
  • is not your login id, first or last name
  • is not a common English dictionary word spelled forwards or backwards. The dictionary contains over 1.4 million words and includes words peculiar to ILR. The example passwords listed below are also in the dictionary and can not be used.
  • is not a dictionary word followed by and/or preceded by 1 or 2 characters
  • is not a dictionary word with the following letter substitutions: $=s, 4=h, 2=a, 3=e, 0=o, 1=l, 1=i

Below are some examples of both valid and invalid passwords:

snow Invalid because it is a dictionary word, does not contain at least seven characters and contains only lower case letters.
Snow1234 Invalid because it contains a single dictionary word followed by a series of characters.
Snow 1234 Valid, since introducing a space lets you use the dictionary word. However, this is not a particularly strong password.
snowisfun Invalid because it only contains lower case letters.
ILikeSnow Invalid because it only contains 2 of the 4 character classes, lowercase and uppercase characters.
ILikeSn0w Valid, since it contains 3 of the 4 character classes: lowercase characters, uppercase characters, and a number (the o has been replaced with a zero). This password is good because of its length, but is not especially strong because of the use of some dictionary words.
I Like snow! Valid, since it contains uppercase, lowercase, numeric, and a special character. Passwords can contain spaces. Length good, strength is okay.
Lis12"om (short for "Let it snow twelve inches or more") Valid, since it contains uppercase, lowercase, numeric, and a special character. This is a strong password and would be difficult to crack.
snwstrm(2004) ("snowstorm(2004)") with vowels removed) A strong, valid password since it contains lowercase, numeric, and special characters and no dictionary words.