GVEA's Password Policies and Recommendations

GVEA's Password Policy

  • Passwords must be at least 12 characters in length.
  • Passwords can contain any characters (including spaces, punctuation, and Unicode) and are case-sensitive.
  • Known passwords from data breaches may not be used.

We strongly encourage the use of a password manager to generate and store your passwords. Alternatively use "diceware"-generated 6-word passphrases instead of passwords.

Choosing a good password

Choosing a good password is difficult as hackers have become better at guessing the patterns people use for passwords. Any recommendation given to choose a good password will be used by others to decode your password. Your best password will be a longer random string of characters without any pattern, which is not reused across web sites. Password Managers allow you to easily generate, store, and use such passwords without having to remember them.

Using Passphrases

A passphrase is a longer, multi-word password that can include spaces.

Password crackers now use online texts (every book, article, dictionary, blog, facebook or twitter post, etc) to generate phrase lists, including misspellings or slang. Thus it would be difficult for you to be able to pick a good passphrase or passphrase permutation that has not been considered. The only known safe approach to picking a passphrase is random generation.

The "Diceware" approach is to take a list of 7776 words and roll 5 dice to determine which word to pick from the list. Choosing 6 words results in a passphrase which is 1 out of 221 sextillion possibilities. Knowing the word list you used and the number of words chosen will not make guessing your password any faster. At 1 billion guesses per second, it will take 4 centuries to guess this passphrase. This is equivalent to a 12-character random password, but is easier to memorize.

The EFF long wordlist is found at the eff.org web site. One online tool that can generate such a passphrase from the EFF long wordlist is at the rempe.us web site. Note that these 3rd-party web sites are not maintained or operated by GVEA.

Passwords From Data Breaches

551 million well-known previously-used passwords have been documented as of January 2019. These are the easiest passwords to guess as anyone can gain access to these password lists. Many of these passwords are known to be used in conjunction with specific email addresses. These will be the first passwords tried by a password guesser.

You can check if your specific email or password has been revealed in a documented data breach at the haveibeenpwned.com web site. Note that this 3rd-party web site is not maintained or operated by GVEA.

Password Managers

Password reuse and simple, easy-to-guess passwords are the biggest problems when using online services. If one service gets compromised (either by guessing your password or by exploiting a security vulnerability in the service's infrastructure), an attacker may gain access to all of your other accounts. But using different passwords for all websites is difficult without a way of storing them somewhere safe. Especially with arbitrary password rules for various services, it becomes increasingly hard to use both strong and diverse passwords.

Password managers allow you to generate, store, and use different randomly-generated passwords for each web site without having to remember the passwords. The passphrase giving access to your password manager should never be used for any other purpose.

There are many password managers available. Here are two free solutions:

Note that these 3rd-party web sites are not maintained or operated by GVEA.