Select Page

How to Create Strong Passwords

Why are strong passwords needed?

Good computer security includes the use of strong passwords for all your accounts.  Passwords can be the weakest link in a computer security scheme.  Strong passwords are important because password cracking tools continue to improve and the computers used to crack passwords are more powerful.  Network passwords that once took weeks to break can now be broken in hours.

Password cracking software uses one of three approaches:

  • Intelligent guessing
  • Dictionary attacks
  • Automation – tries every possible combination of characters.  Given enough time, the automated method can crack any password.  However, it still can take months to crack a strong password.

For a password to be strong and hard to break, it should:

  • Contain 6 or more characters
  • Contain characters from each of the following three groups:
    1. Letters (uppercase and lowercase): A, B, C,…; a, b, c,…
    2. Numerals: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
    3. Symbols (all characters not defined as letters or numerals): ` ~ ! @ # $ % ^ & * ( ) _ + – = { } | [ ] \ : ” ; ‘ < > ? , . /
  • Have at least one symbol character in the second through sixth positions.
  • Be significantly different from prior passwords.

Do NOT use:

  • Your username or any part thereof
  • Name(s) of yourself, family, friends, pets, or co-workers
  • Computer terms and names, commands, sites, companies, hardware, or software
  • Birthdays or other personal information such as addresses or phone numbers
  • A set of characters in alphabetic or numeric order (ex. abcdef), in a row on a keyboard (ex. qwerty), or a simple pattern (ex. 123123)
  • Words that can be found in a dictionary
  • Your UCLA ID number, a bank account PIN, credit card number, etc.
  • Any of the above spelled backwards
  • Any of the above preceded or followed by a digit (ex. qwerty1, 1qwerty)

Try to change your password(s) every 6 months.

When typing in your password, make sure no one is watching you type. Ask anyone around you to kindly look away.


Windows – UCLA Currently only allows OS which currently have regular security patches and updates as per UCLA Policy 401, which would exclude Windows XP.  The below is given only for additional information:

Windows 10 – More information pending

  • Ctrl-Alt-Del / click Change Password

Windows 7 passwords can be up to 14 characters long, with a minimum length of 7 characters on a Domain Controller.

  • Ctrl-Alt-Del / click Change Password
  • click on Start / type in “computer management” / from Local users and Groups / users / Right Click user name / click “set password”

Windows 8 passwords can be up to 16 characters long, while Windows 8.1 passwords can be up to 12 characters long.  However, the PIN can be only 4 digits long.

  • Swipe in from the right edge of the screen to bring up the Charms Bar (or move mouse cursor to upper right corner), tap Settings, and then tap Change PC settings.
  • Tap or click Accounts, and then tap or click Sign-in options.
  • Tap or click Change your password and follow the instructions

Windows 2000/XP passwords can be up to 127 characters long.  However, if you are using Windows 2000/XP on a network that also has computers using Windows 95 or Windows 98, consider using passwords no longer than 14 characters.

Windows 95 and Windows 98 support passwords of up to 14 characters.  If your password is longer, you may not be able to log on to your network from those computers.  To view all user accounts and set/change their passwords, do the following:

  • Click Start, click Run…, and type in “compmgmt.msc”
    run_compmgmt
    Press enter/click OK
  • Browse to Local Users and Groups, then Users
    users_view
  • On the right panel are all the user accounts on your computer.*
    To set the password on an account, right-click on it and select Set Password…
    users_setpass
    Follow the prompts to change the password.

Non-windows systems (Linux, Solaris, Mac, etc.) can have different maximum characters.  Speak to your computer/network administrator for the maximum number.  SEASnet network systems have a maximum of 8 characters–please use up all 8 characters for higher security.

*For SEASnet-managed machines, do NOT change the administrator/root account’s password if you have administrative/root privileges.

Modified from Microsoft’s document on creating strong passwords.