Username and Password Guidelines (2024)

FAQs

What are the criteria for a username? ›

Usernames can contain letters (a-z), numbers (0-9), and periods (.). Usernames cannot contain an ampersand (&), equals sign (=), underscore (_), apostrophe ('), dash (-), plus sign (+), comma (,), brackets (<,>), or more than one period (.)

The NIST advises a password policy that requires all user-created passwords to have at least the length of eight, and all auto-generated passwords to be at least six characters in length.

Including both letters and numbers in a random pattern is safer than using personal identifiers or common phrases. A username that is easier for you to remember is usually easier for a hacker to guess. This is especially true when the username is based on a variation of your email address, name, or home address.

Your username can be your email address, name, or nickname. Usernames can incorporate spaces, numbers, and certain special characters such as periods (.), hyphens (-), apostrophes ('), underscores (_), and the @ sign.

A complex but short password does not provide adequate security. Passwords must be at least 12 characters long, according to security standards such as the OWASP ASVS. A combination of uppercase letters, lowercase letters, numbers, and symbols can be used to provide sufficient complexity.

Create strong passwords

At least 12 characters long but 14 or more is better. A combination of uppercase letters, lowercase letters, numbers, and symbols. Not a word that can be found in a dictionary or the name of a person, character, product, or organization.

Do not use your User ID as your password. Do not share [agency name] passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential [agency name] information.

Don't give any clues.

For example, don't ask a question or open a joke in your username that you answer or deliver the punchline to in your password. (This one's more common than you might think.)

What should be User ID and password? ›

First off, avoid user IDs and passwords that are simple. Instead, establish a more complex user ID and password combination to safeguard your account and information. To create more complex user IDs and passwords, try using combinations of letters, numbers and characters.

Your password should be a combination of at least both upper and lowercase letters and a number (62 unique, reusable characters, with 8 characters in the password means 62 to the 8th power, or 2.1834011e+14 possible combinations…)

According to the NIST Special Publication 800-63B, password length has been found to be a primary factor in characterizing password strength. NIST password length requirements are that all user-created passwords be at least 8 characters in length and all machine-generated passwords are at least 6 characters in length.

Rotating passwords on a frequent schedule, e.g., every 30-90 days, helps limit this exposure. Best Practice: Password rotation is a universally accepted security best practice and an essential component of an overall security plan. Consistency and discipline in password changes are critical.

Keep it simple and easy to remember

It's hard enough to remember your password, so try to make your username as simple and straightforward as possible. You can still differentiate with your favorite number or an underscore, but avoid using any unnecessary symbols, letters, or numbers.

A username is a phrase, word, or combination of characters used to identify and gain access to a computer or computer network. User accounts, user names, user IDs, and login IDs are all examples of usernames. A computer system might have many accounts, each of which would have a different username.

Many people use their first and last name plus an initial. Because people's names are not unique (John, Mary, etc.), some people use combinations of their names and random numbers to create a username. Examples of usernames include johndoe, jdoe65, jdlovestofish, alwayssunnyinphilly.