From the October, 1998 PC ALAMODE Magazine:
Passwords and UserIDs
 
by Susan Ives

What's wrong with this scenario? 
You: "Hi! I'd like to set up an Internet account"
ISP: "Great! First you need to select a userID"
You: Err...duh..."How about d^;jw4n_Xy!Z?"
ISP: "Fine. We also need a password."
You: "Duh...err..."How about susan?"
ISP: "Thanks. You'll be set up in about an hour."
When you set up an Internet account, the first thing your Internet Service Provider (ISP) will ask is that you select a userID and a password. Most people are caught short. As new Internet users, they don't know what either one of these things are, and being put on the spot, don't have time to think it through. Bad choices - like those made above - can cause heartburn for years to come.

 Your UserID is your "handle" on the Internet. It will be the first half of your e-mail address. You want your userID to be friendly and uncomplicated. A good way to test a proposed userID is to say it out loud, as if you were reciting it to someone over the phone. Also try writing it down: out of context, it is easy to confuse a 1 and an l or a o and a 0. The best userID is one that is so simple that friends can remember it without having to write it down. 

Each ISP can only have one person with a particular user name, so if your first choice is fairly common, you might have a backup in case your first choice is taken.

 At a conference I attended last year, a city councilman from Philadelphia related how he was invited to a telecommunications meeting at the White House. His city hadn't given the council e-mail addresses yet, and he wanted to be prepared in case he was asked for one. He knew his young daughters - all Irish dancers - had an AOL account, so he figured he could just use their address if Al Gore wanted to send him e-mail. He asked them what it was. "dancinggirls@aol.com," his daughters replied. Oops! Not a good idea. College students have been caught short by selecting a userID such as "studmuffin" or "doommaster" and then being embarrassed when they tried to e-mail a resume to a conservative corporation. Think about how you will be using your e-mail address and pick a userID that will retain its luster.

 UserIDs are not easy to change. When an ISP activates your Internet account, all of your files and directories are set up under your userID. If you want to change it, they have to cancel your old account and set up a new one. Most will charge a substantial fee to do this. So pick a good one from the start!

 Passwords are exactly the opposite. You want your password to be complicated and you want to change it frequently. Most security experts recommend that you password should:

     
  • Be at least seven characters long 
  • Contain a combination of letters, numbers and characters such as _^! 
  • Not be a word in any language or an alpha-numeric combination that can easily be deduced (such as your street address or wedding anniversary.) 
  • Be changed at least every three months 
  • Never be given to anyone, including your ISP 
  • Not written down anywhere
Corporate security experts tell me that the most frequent security violation is employees writing their password on a sticky notes and affixing them to monitors. If you are using your Internet account for a business, if your computer is in an accessible place or if you use the Internet on a laptop, you should follow these rules rigorously. If someone steals your password, they can steal your identity. One horror story told to me was of a local businessman who had a disgruntled former employee steal his password. He used it to log onto the Internet and post messages to risque newsgroups. The boss was harassed with obscene phone calls for weeks. 

ISPs have varying procedures for changing a password, so make sure you ask yours how to do it.

 If you are retired and keep your computer in the spare bedroom, you are probably safe writing your password down in a safe place (not on the monitor, though!) and changing it less frequently than recommended. Assess your own risk, and act accordingly!

 Susan Ives' userID is suives. If she told you her password she would have to kill you.