computing policy All user accounts must have passwords, since the password is a means to authenticate the identity of the person using an account as the authorized user and to prevent misuse by unauthorized users.
Shared accounts are not allowed. Furthermore, the authorized user will be held responsible for misuse of the account if the password is shared.
Passwords based on easily obtained personal information (which is just about anything these days such as account name, actual first or last name, initials of the name, system name, etc.) are extremely easy to guess and should never be used. Hackers are also on to all the usual tricks, such as spelling a name backwards or simple substituion of characters. Certain easily-guessed words are also commonly used as (poor) passwords (such as "guest", "password", "secret", etc.) and should never be used as passwords.
Hackers (and System Administrators) have easy access to very powerful password-cracking tools incorporating extensive word and name dictionaries. Passwords should never be dictionary words or names. Non-English words alone do not make good passwords. The cracking tools will also check for simple tricks like words spelled backwards or simple substitution of certain characters (i.e. "mouse" becomes "m0us3"). Pass phrases of several words are often okay, as long as the combination is not too obviously guessable -- e.g. don't use "secret password" as a pass phrase.
More secure passwords are those which are based on pass
phrases and/or non-dictionary words (including
"nonsense" words), combined with obscure character
substitutions. These can be extremely difficult to either
guess or crack. You may consider using machine-generated
passwords like the pronounceable passwords generated by apg.
Using the maximum number of characters greatly increases the complexity of guessing or cracking passwords. Beware that only the first eight characters of a password are "significant" on most UNIX systems, although the system allows you to type longer ones.
A regular password change is a good idea, since it prevents misuse of your account without your knowledge if your password was somehow accidently (or deliberately) disclosed.
Using a single password is the equivalent of using a single key for your car, house, mail box, and safety deposit box -- if you lose the key, you give away access to everything. If your password is compromised on one system, using different passwords on different systems will help prevent intruders from gaining access to your accounts and data on other systems.
The passwords need to maintain the rules for "goodness" as well as not be trivially derivable if one password is known. While using multiple passwords increases the difficulty of managing passwords, it results in significant increases in security.
Until better technologies (or larger human brains) develop, it's understandable that users will want and need to record their passwords. This is acceptable if password lists are stored in a safe place, such as a slip of paper tucked in the wallet, a floppy disk kept in a locked personal cabinet, or a strongly encrypted file with a good encryption key. In any case, great care must be taken to safeguard the when it is used and to be sure to return it to safe storage immediately after use.
Don't leave your password on a post-it on your desk or written down where someone could find it. If you absolutely must write down your passwords, keep them in a secure, locked place. and don't write the actual system name with it.
Also, don't leave your passwords where others can find them electronically. Never send them in email, post them to news, leave them online in a file (even in a protected directory), embed them in a script, etc. In most cases handheld devices do not provide adequate security for storing passwords.
Don't think that you are not important enough to be a target. Often hackers are looking for a jumping off point to launch an attack on another system. It will appear that the attack is coming from you!
Periodically the System Administrators will attempt to crack passwords. If your password is found to be insecure you will be required to change it or your account will be locked.
