Information Technology Services Centre - Guidelines to Safeguard Your Password
  • Submit
  • Guidelines to Safeguard Your Password

    Safeguard Your Password

     DO  DON'T
    1. Use strong password.
    2. Change password frequently, e.g. 180 days.
    3. Change the default or initial password the first time you login.
    4. Log off when finished using terminals or PCs in public areas.
    5. Beware of shoulder surfing.
    1. Don’t use dictionary words and personal related information as login name or password.
    2. Don’t place your password conspicuously.
    3. Don’t tell your passwords to other people.
    4. Don’t store your password on any media unless it’s protected from unauthorized access.
    5. Don’t use the same password for everything 
      e.g. Don't use the password of any CUHK application for any personal account, or vice versa.
    6. Don’t reuse recently used password.
    7. Avoid using the “remember your password” feature.


    Guidelines for setting a Strong Password

    1. Password minimum length
      • Set your passwords with at least 8 characters composed of random letters, digits and special characters (e.g. #, $, % and spaces) and;
    2. Composition
      • A good rule of thumb is never use dictionary words and personal related information such as name, the NetID, birthday date, telephone number, HKID and user ID, etc.
    3. Reuse of passwords
      • Use different sets of passwords in different systems for examples mix upper and lower case letters; mix letters and numbers; include non-alphanumeric characters and;
    4. Password aging
      • You should change your password regularly such as in every 180 days.



    1. Examples of strong passwords:
      • A combination of several words that aren't themselves a word interspersed with special characters (e.g., !4scOrE&sDayNYeaRs_ag0)
      • A word with digits of a memorable date sprinkled inside it (e.g., vacation -> 0vac2a0t9io19ln99)
    2. Examples of weak passwords:
      • Use of repeated numbers, characters or sequences such as 12345678, bbbbbbbb, or 33333333
      • Use of words in dictionary such as the word "password"
      • Use of personal related information HKID such as "Y6754815"
    3. Examples of how to set up a strong password:
      • Use a memorable word – it can even be a dictionary word or name but move the hands up a row from the home row on the keyboard when typing it. This way, “GoFishing” would become “T9R8wy8ht”. This technique would be most usable by touch-typists.
      • Create a passphrase and use the first letter of each word. The phrase "Now is the time for all good persons ..."would yield the password "NittfaGp". Since our rules required still more complexity, I suggested putting a punctuation character in front – "!" for example, to make it "!Nittfagp".
      • Transform words using by substituting characters for letters - @ or ^ for "a", $ for "s", 3 for "e". The word "Geekspeak" might become "G33k$p3^k."
      • Do the unexpected with characters and numbers and put them at the beginning or middle of a password instead of the end. LC3 can vary 1-3 appended characters as part of a hybrid attack. LC4 added the ability to work with prepended characters but the cracking process is much, much slower.


    The purpose to set a strong password is to minimize the potential risk of unauthorized access to important data and use of computing resources. The table below can give you some idea of how long it takes to crack different passwords. From there, you can see that it takes 24.2 days to crack a 8-characters password in pure lower case letters and it takes 17 year to crack a 8-characters password in mixed characters. You can see the importance of setting a strong password:

      Total Number of Characters from Which Password is Selected 
    Number of Characters in Password  26 (lower case letters only - abc)  36 (lower case letters plus numbers - abc123)  52 (upper and lower case letters - AaBbCc) 
    5  1.98 minutes  10.1 minutes  1.06 hours
    6  51.5 minutes 3.74 hours  13.7 days 
    7 22.3 hours   9.07 days  3.91 months 
    8 24.2 days  10.7 months  17.0 years 
    9 1.72 years   32.2 years  8.82 centuries  
    10 44.8 years  1.16 millennia  45.8 millennia 
    11 11.6 centuries   41.7 millennia  2,384 millennia 
    12 30.3 millennia   1,503 millennia  123,946 millennia 


    Useful tools

    1. Password Checker
    2. Secure Password Generator
    3. Secure Password Generator (Firefox Add-ons)