The Basics

Picking a strong password is a constant arms race. For security reasons, LunpaCMS enforces a minimum password strength of at least 12 characters, including at least one upper case letter, one lower case letter, and one special character (such as !%#* or space). Additionally, LunpaCMS does not allow a password to contain the username it is assigned to.

However, password strength is a complicated thing to measure, and following the minimum requirements is not enough. These additional guidelines will help you maintain better password security.

Use Passphrases, not Passwords: Passphrases can be stronger than typical passwords but much easier to remember. Not having to write down a password can make it inherently more secure. When creating a passphrase, it is recommended to use a memorable phrase of at least 4 words, mixing upper case and lower case, special characters, and non-dictionary words. A passphrase such "ask NOT 4 whom the bell tolls" is much stronger. Bonus points for mixing languages, using poor grammar, purposefully misspelling words, adding in numbers, etc. "My Wedding Anniversary is Abril 23rd" is a great password and a handy way of remembering an important date!

• Never reuse passwords for different accounts. If any account is compromised, attackers can and will use this information to compromise your other accounts.
• If you have to write down your passwords, don't save your password on your hard drive. If your computer is compromised, those password lists can be compromised as well.
• If you really have to write down your passwords, develop your own system for writing them down. Even as simple as writing them backwards or a hint for the passphrase.
• Never tell anyone your password.
• Many techniques to strengthen passwords are less effective than most people realize. Simply using dictionary words with leading caps, ending symbols, single letter replacement are only marginally better than using a word from the dictionary.
• Avoid short passwords. The shorter the password, the less time a computer needs to brute force the password. We recommend passphrases of at least 4 words because using 3 dictionary words is computationally similar in strength to a password of 8 random letters and symbols. It's strong but getting weaker every day.

Further Reading

• http://arstechnica.com/security/2012/08/passwords-under-assault/
• http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
• http://arstechnica.com/information-technology/2012/11/born-to-be-breached-the-worst-passwords-are-still-the-most-common/
• http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/