Your browser does not allow storing cookies. We recommend enabling them.

Password Strength

Good passwords should use a minimum of 12 to 14 characters if permitted. For security-critical systems, we recommend using 16-character randomly generated passwords.

Passwords should include lowercase and uppercase characters, numbers, and special characters with equal probability. This does not mean that every password should contain all of them. Instead, the equal probability of having them is what matters. However, many applications require having at least one character from each category.

Passwords should ideally be generated at random when possible. We recommend our browser-based, fully auditable online password generator. It never sends the password over the network.

Using the same password on multiple systems should be avoided. In particular, important systems should each have their own password.

Passwords should ideally not contain any elements associated with the user. No relatives' names, no pet names, no birth dates, no social security numbers, no part of the user's address, no part of the user name, nothing that can be associated with anything the user knows.

Passwords also should not be simple combinations of words, unless the words are randomly selected.

While some sources recommend not writing passwords down, in practice it is impossible to remember many random passwords. Writing them down may be a good practice, as long as the list is kept protected (e.g., in a safe). Using password manager software may also make sense. However, use of cloud-based password managers should be avoided and can be risky, especially for security-critical uses.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more