octo

Office of the Chief Technology Officer
 

DC Agency Top Menu

-A +A
Bookmark and Share

Password Best Practices and Recommendations

Choosing a strong password will help keep your online life and DC Government information safe from those who should not have access to it.

How long should my password be?

There does not seem to be consensus on an appropriate minimum password length, but it’s a good approach to make your passwords at least 12-14 characters long. In general, the longer the password, the better your odds are against a brute force attack.

A brute force attack is an attack method often used by hackers where they do exactly what the name describes; they try and guess your password as many types as the system will allow. Often, hackers will use automation to do this quickly and efficiently. The longer your password, the longer this method will take and the greater likelihood that they will be locked out by the system.

A great way to get a long password that’s easy to remember is to use passphrases. At one time, the recommendation was to use complex passwords with random characters and numbers, but those can be hard to remember, confusing, and difficult to type. Passphrases are a series of random words or a sentence that are much easier to remember and type, but still hard for cyber attackers to hack.

Try picking a line from your favorite book, movie, or song.

Examples:

  • Billy Pilgrim has come unstuck in time
  • Three tricky turtles tango terribly
  • Dancing-in-the-moonlight

*NOTE: these are examples only. You should not use this as passwords since they are on a public webpage*

What about special characters and numbers?

Special characters and numbers definitely add complexity and make it more challenging for hackers. Try swapping out letters for a number or special character. For example:

Three tricky turtles tango terribly

could become

Thr33 Tricky Turtl35 [email protected] T3rribly

But remember, the longer the password the better.

Can they really hack into my accounts that quickly?

To give you some context, let’s look at the password ‘123456789’. Since this password contains a sequence, it would be one of the first combinations a hacker would try. It’s estimated that it would take a human about 15 minutes to crack this password.

If we factor in the automation we talked about above, it’s estimated that a supercomputer could hack this password in 0.0085 seconds! If we take a slightly longer and randomized set of characters, such as ‘whithgildnqz’, our odds get exponentially better. It would likely take a hacker over a year to crack this more complex password.

That’s great that I can use passphrases, but I still have all these passwords! How am I supposed to remember them all?

Password managers can be a great resource. With a password manager, you just need to remember the one master password (so it’s important that it’s your best password). They can also help generate strong, long, random passwords automatically.

Many of the tools out there will give you the ability to store other sensitive information such as credit card numbers, membership cards or private notes. There are lots of products on the market, all with their pros and cons, but some examples are LastPass, Dashlane and 1Password. A quick google search will give you more information on which on may be the best fit for you.

Anything else I should consider?

  • Never use your DC Government credentials for outside accounts like your bank, online shopping, or personal social media.
  • Do not reuse passwords across systems. Each account should have a unique password. This is when a password manager really comes in handy.
  • Avoid passwords with patterns such as 12345, QWERTY or ABCDE. These are often the first combinations that a hacker will guess.
  • Avoid using personal information in your passwords such as your name, address, birthday. It’s also important to avoid using information about you that’s publicly available, such as your favorite sports team that you’ve posted to Instagram countless times.
  • Never share your passwords with anyone. Remember, passwords are supposed to be a secret and are the key to all your accounts and information. If you do need to share a password to a critical account, such as sharing the password to your bank account with a family member in case of an emergency, consider using a password manager to do so. This will give you the ability to determine the level of access (e.g. read/write) and revoke access if necessary.
  • Consider occasionally checking sites such as “Have I Been Pwned” which tracks whether an account and the associated password have been involved in a data breach.
  • Always remember to review your company/organizations guidance and password policies to be sure you are following their requirements. The suggestions highlighted above are meant to serve as general guidance.
  • If you’d like more information on password security, the Global Cyber Alliance (GCA) Cybersecurity Toolkit has helpful content on strong passwords and the various tools available.