Skip to site navigation

How can I pick an acceptable password?

There are lots of ways of producing good passwords, bearing in mind the twin goals of memorability (for you) and difficulty of guessing (for others). Randomly generated passwords like X2pI4*) are certainly difficult to guess, but are typically hard to remember. We aim to generate random-looking passwords that are, in fact, based on something that's easy to remember. A simple but effective approach is to use a mnemonic phrase. Think of a memorable sentence, of eight words, then form a password by taking one or more characters from each word, including a mixture of capitals and punctuation.


Phrase: Chickens carried him off, kicking and screaming!
Password: CcHo,k&s

A password like this is proof against most of the attacks described above, and yet should be easy for you to recall without writing it down. Phrases that can be visualised - however silly they might be - are often easiest to remember. Words of a song or a poem are possible sources of inspiration, but don't be too obvious. Use your imagination, but not our examples!

DO choose a password that is at least 8 characters long (You may be able to type a password that is longer than 8 characters but anything after the 8th character will be lost and in fact not used)

DO use at least three of the following different types of characters:

  • lowercase characters
  • uppercase characters
  • numbers
  • symbols i.e. ! % ^ * ( ) _ + - = " ` ; < > , ? / @ $ & [ ] { } BUT NOT £ : | \ ~ It may be possible to only use two of these character types if the variation is great enough, but if a pattern is found it will require more.
NOTE: If you are using UCL Administrative Systems, your password should additionally NOT contain: the @ (at) symbol or start with either a space or " (double quote).
DON'T base your password on a dictionary word, proper name, personal details such as address, post code, phone number or department name
DON'T include any spaces
DON'T use foreign language words - the cracker program uses dictionaries containing words from a large number of languages including Yiddish, Finnish, German, and Danish
DON'T use names of bands, asteroids, cartoons, movies, TV programs, swear words, Shakespearean or Monty Python characters, or science fiction jargon - the dictionaries include these too
DON'T use any of the above with I's, L's and O's transposed with ones and zeros - these are matched
DON'T merely disguise a word by using repetition or reversal or by adding a number to the beginning or end of it
DON'T use anybody else's user name or userid as a password this information is included in the dictionary set
  Car0l1ne LizLiz fawlty1 freddy16
The following passwords are all easily cracked:        
  startrek pr1nce goldfinch yelsiap


  • DON'T keep a record of your userid and password together;
  • NEVER give your password out to anyone else;
  • if you have reason to believe that your account has been tampered with at any time, change your password immediately and let the ISD Service Desk know as soon as possible;
  • if your password has been cracked and your account suspended, please don't vent your frustration on ISD staff - we didn't write the cracker program.

When you set a password on ISD systems, some checks are made to weed out the most obvious passwords. If your choice of password is rejected, you will be invited to select an alternative. However, it is not possible to make these checks as comprehensive as those made by the cracker program, and thus the system will still allow you to set a password that can be cracked.