Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

Macintosh Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

Creating Good Passwords

Last updated Feb 25, 2005.

By default, the first account created on a Mac OS X system is an administrator, with permission to change many aspects of the computer's operation. Although it's possible to not assign a password to this (or any other) user account, doing so is extremely foolish. I strongly recommend that you assign a secure password to every administrator and normal user account.

To assign or change passwords necessary for logging in users or altering system settings, begin by choosing Apple > System Preferences > Accounts (see the following figure).

Make sure all users have secure passwords assigned in Accounts preferences.

Any standard user can change his own password, but must first enter the current password to authenticate himself. Administrators can change the passwords for other standard accounts without entering the existing password. However, in either case, it might be necessary to first click the lock icon in the lower left and authenticate as an administrator before making any changes in Accounts preferences.

Select an account from the list at left, then click Change Password. In the configuration sheet that appears, you can manually enter and verify a new password, as well as an optional password hint (not a good idea if security is your paramount concern).

Apple doesn't impose any requirements on your password, unlike many Web sites that insist that your password be at least eight characters long, include at least one non-alphanumeric character, or the like. Such practices are good ideas, but it's infuriating when they're mandatory because they make it harder to create conforming, yet easily memorable, passwords.

Whenever specifying a password—whether for login, your email client, or a Web site—you shouldn't use any of the following:

  • Your account name or any variation of it.

  • Personal information such as your name, mother's maiden name, a pet's name, or your hometown.

  • Any word that can be found in a dictionary (English or foreign language) or in a popular book, mythology, or movie. (Hackers employ automated cracking tools that generate millions of such combinations.)

  • Obvious patterns such as sequential numbers, alphabet runs, or adjacent characters on the keyboard.

  • Any of the above with numbers appended.

It's further recommended that your passwords follow these rules:

  • Include symbols, punctuation, and/or numbers. But don't rely on simple substitutions such as zero for the letter O or the dollar sign for the letter S.

  • Be at least six characters long. The longer the password, the harder it is to crack, but it's also harder to remember and enter correctly, so there's an obvious trade-off between security and convenience.

  • Include a mixture of upper- and lowercase letters. Passwords are case sensitive, meaning that aBcD is not the same as abcd.

Try to choose a password that's easy for you to remember but difficult for others to guess. Ideally, your password should appear to be a random combination of alphanumeric characters and punctuation, but have some secret meaning known only to you. One way to choose such a password is to use a mnemonic crutch. For example, the memorable opening of the Gettysburg Address, "Four score and seven years ago," could become "4s+7YA" as your password; it uses numbers, punctuation, and a mixture of upper- and lowercase letters.

All these requirements and recommendations for creating secure passwords can be confusing and overwhelming, so Mac OS X 10.4 features a useful tool called the Password Assistant that determines the quality ("strength") of specific passwords and suggests good passwords. To access Password Assistant, click the small icon of a key (see the following figure) that appears in Accounts preferences, Security preferences, Keychain Access, and various other Mac OS X 10.4 utilities.

The small icon of a key indicates that Password Assistant is just a click away.

Just for fun (or a wake-up call), begin by choosing Manual from the Type pop-up menu and entering your current password in the Suggestion text field. Notice that as you begin to type, the Quality indicator grows from left to right and changes colors (red is weak, yellow means medium strength, and green represents a strong, secure password) because long passwords are necessarily stronger than short ones. If you are dismayed at the weakness of your current password, try implementing some of the tips for improving the strength of your password displayed in the window at the bottom of Password Assistant(see the following figure).

Password Assistant indicates the quality of passwords and recommends methods for improving your passwords.

To have Password Assistant create a password for you, choose Memorable from the Type pop-up menu, and it will generate a password composed of upper- and lowercase letters, punctuation, and numbers. "Memorable" passwords are designed to be easy to remember yet invulnerable to brute force automated dictionary attacks where an intruder tries to authenticate using common words that can be found in a dictionary.

To increase the strength of a password, increase its length. Password Assistant creates passwords from 8 to 31 characters long, but remembering and entering very long passwords is impractical. Any password that results in a solid green Quality rating is sufficient for most uses.

While most users will be best able to recall "memorable" passwords, there are a total of six choices in the Type pop-up menu:

  • Manual (entered by user)

  • Memorable (words, punctuation, and numbers)

  • Letters & Numbers (randomly selected without punctuation)

  • Numbers Only

  • Random (letters, numbers, and punctuation)

  • FIPS-181 compliant (meets the U.S. Department of Commerce standard)

Specifying a secure password for each user account is just the first step to keeping your Mac safe. Many other resources need to be protected by strong passwords. For example, your email program may require a password before it lets you access new messages on the server, and iChat needs the password for your AIM screen name. Although it's tempting to use one password for everything, it's a very bad idea; anyone who cracked the code for one resource would have access to everything. Therefore, you should use a unique password for each resource, and all of your passwords should be changed as often as is practical.

Finally—though it should go without saying—don't reveal your password to anyone you don't trust 100%. The most common method hackers use to obtain passwords is social engineering, a bit of acting in which they pretend to be someone with a legitimate need for your password, such as a system administrator trying to back up your computer. If you believe that your password has been compromised, change it immediately!