What are the guidelines for creation of a secure passwords?

On Unix systems PAM, or Pluggable Authentication Module is a nice administrative tool that comes with a crack library that you can test passwords against.

After doing some recent security work, I know that Government standards usually have these guidelines when it comes to a password:

  • Minimum Length of 14 characters
  • At least 2 special characters
  • At least 2 lower case characters
  • At least 2 upper case characters
  • At least 2 digits
  • Must be changed every 60 days
  • No dictionary words or usernames

Common sense suggests you shouldn't put the 2 numbers and special characters at the beginning or end, but interspersed. While working on these guidelines it brought up the question whether having such complex passwords was really worth it. With passwords so complex, it seems that they have a higher probability of being stored as plain text somewhere by the user or written down somewhere.

In personal use, I typically go less stringent than those guidelines, but definitely no dictionary words or L33t speak.


Bruce Schneier has a nice article on it, based on what a company has have to be common practice in people choice of passwords.

EDIT: Oh, to generate password. You can use tools such as KeePass or Password Safe to auto generate and store different good password for your logins. See this question for more information.


grc.com has a nice page where you can get strong passwords.