Also see the articles Password for Internet cafes and the Password Maker

Choosing Good Passwords

Passwords are everywhere nowadays and we have loads of them.  Some important (bank access), some trivial (online accounts to create greeting cards say).  But how to choose a good one?

Passwords is a bad name ... let's think of passphrases.  They are longer and imply something not found in a dictionary (a hacker usually carries out a dictionary attack first - there are many examples of dictionaries on the web simply for this purpose!). 

Passwords and passphrases are hard for people to remember ... very hard.  Take random characters and most people find it hard to remember more than 4 or 5 character.  Numbers alone and it gets better, perhaps you could remember 8 (after all, we are pretty good at phone numbers). But "could remember" just isn't good enough!  You don't want to wake up one morning only to discover you've forgotten an important passphrase!

The longer the passphrases and the more complex - come to this in a moment - they are the safer you are. Words from the dictionary, as I mentioned earlier, are not a good idea. Dictionary attacks on passwords are common and can be run in a few hours to a few days (say 220,000 words, all formats of capitalization).  If you have something you want to keep safe, don't use "dictionary" words!

Let's look at complexity ... here are a few passphrases:

  • mypassword
  • MyPaSsWorD
  • M!Pa$$W0rD

Which is the most secure? Well, the first one is not very secure, the second is more because the hacker now has to test 52 characters for each letter in the passphrase (a set of 26 lowercase characters and another 26 uppercase ones).  The third is brilliant because it adds different characters to the mix - making it a really hard password for someone to get around.

I've seen system capable of trying out over 50 million passwords per second. This technique will find most simple passwords that are no longer than 7 or 8 characters in length.  But even with this kind of monster system, it is impractical to use it to find long passphrases or passphrases with a mixture of numbers, upper & lower case letters, and symbols!

Let's look at what makes a good passphrases ...

Good passphrases:

  • must be at least 7 or 8 characters long - longer is better
  • contain both uppercase and lowercase letters
  • also have digits and/or punctuation (this includes !@#$%^&*()_-+=[]{}:;'"\|<>,.?/, although your system may restrict some of these characters)
  • blank spaces and control characters may be allowed, but again check as they might cause problems
  • must not appear systematic (e.g. abc123)
  • are easy to remember, so they don't need to be written down
  • are only used on one system
  • are never shared with anyone
  • are changed frequently

Another system you can have is to follow the "something you know and something you have" ... Pick a word,  say "Tommy" - this will be what you know.  For something you have, well, choose a book or something written down (the ISBN number of your favorite book) and put them together.  A good system!

Print This Page   |   Email me when this page changes    |  Search This Site System Scanner does the work for you!

Contact Us