One trick I learned from a website is to use the abbreviation for a sentence you can remember. For example: three blind mice, see how they run..
Password: tbmshtr
That's not a bad password, but now we can change "Three" to 3 and add punctuation: 3 Blind Mice (see how they run)
Password: 3BM(shtr)
And that is a pretty secure password. It's easy for you to remember and it's not based on an English word. Moreover, it has the added benefit that if someone happened to see it written out, they're less likely to remember it because it's gibirish. HaX0r 3ng1i$h w0rd$ don't have that benefit.
Also, if I'm about to choose the password for something I care about, I run it through a password strength checker. The best one I've found is at this site: http://www.certainkey.com/demos/password/ (if that gets nixed by the spam filter, google "Certainkey password checker" and it's the first result). Not only is it the strictist checker I've found (no english words allowed), but it gives an estimate of how long a determined hacker would need to crack it. The password above would take aprox. 67,000 days to crack.
But back to the discussion, so, what methods can be used instead of passwords? In Korea they're starting to use fingerprints as a form of identification. So intsead of using a password to log in or unlock your computer, you have a built in "digital inkpad" that you press your finger against to gain access to your comp. I don't know how realistic or how soon such a form of security will be implemented in America but it seems like right now the best idea for protection is to use a form of encryption in addition to your password, such as protecting your database of passwords, using applications like Roboform, or accessing secure sites that use encryption for protection. You should also want to also look into encrypting anything else that you might not want others to gain access to, beyond just your database full of passwords. Such as any scans, bank statements, health information, or email that should be protected. http://seattletimes.nwsource.com/html/personaltechnology/2003209737_ptinbo19.html
Simon
October 7, 2006 10:32 AM
If you want to be *really* secure (if you're storing bank access passwords or something), don't just use Truecrypt on your normal Windows computer (and certainly not on a public computer). Put the Linux version of it on a CD or floppy, get hold of a LiveCD Linux distro (such as Ubunutu), and run Trucrypt from there. The purpose of this is to defeat software keyloggers, spyware, invisible PC-anywhere type software, etc. that someone may have installed.
Also, if you suspect someone could have installed a hardware keylogger on your computer (either by replacing your keyboard with an identical one with a keylogger built on, or by putting a small dongle on the end of your keyboard cable -- yes, it does happen) enter your password with the virtual "on-screen" keyboard using the mouse (most OS's have these to help people who have trouble using a normal keyboard).
And of course, if you're doing this at work rather than home, be aware of the positions of any security cameras or people wandering too close behind. Ideally only do this in a room only you have access to.
Remember, you can never be too secure. You can, however, be too paranoid; for which I reccommend a reputable therapist. Hint: any therapist who asks you to disclose your passwords as part of the healing process is automotically not reputable.
Martin Vanderkaa
October 10, 2006 4:27 PM
Hello Leo:
First of all Leo, I would like you to know how very much I do appreciate your website. Great and most valuable work, my good man!
I would like to tell you what I have done regarding secure passwords. Often when you buy a program on CD, there is a CD-key (product key) which you must type in before the program will install itself. Usually these keys are HUGE! For example, a Windows Xp product key has no less than 28 characters (dashes included)! I use a CD-key from one of my old programs as password. I made a macro (encrypted) of that key, and it recides patiently in my computer, and I can call it up whenever and wherever I need it. Just a click and there it is! Hence my passwords are all the same.
And if something really bad happens to my beloved puter? There’s always that CD in my box of goodies with my “password”. No need to remember a single thing.
In closing a tiny question: If a company for example sells 5 million copies of a certain program, are all product keys the same or different? Just to be on the safe side, I chose my password from a very, very old program nobody uses anymore, hence that ancient CD has become my “password CD”!
If you wish, please feel free to use this info on your website.
Martin Vanderkaa
Leo Notenboom
October 10, 2006 4:36 PM
Yes, each product key is unique, though the same key may be used in a site license purchase, (and of course, pirated copies). But normal run of the mill purchases should each have a unique key.
fwiw, if my math is right, I believe a 25 character product key with letters and digits has 25^36 possible combinations (approx 2 followed by 50 zeros). While I'm sure not all combinations are used, that's more than enough to cover a measily 5,000,000 :-).
Richard
June 4, 2007 4:41 PM
The best method I know of to create a password is at http://www.diceware.com
If one is so inclined, it goes over the full mathematics of why it is a secure method of picking a passPHRASE. Just roll some dice, look up the words corresponding with the dice, and there's your password. You end up with a long password, that is truly random, but unlike any other method recommended for passwords, is easier to remember. Combine this with a password keeper like KeePass and you can have all the secure passwords you want.
peter
June 22, 2008 8:48 PM
but to be honest leo , for developers and programmers especially it's too hard to remember hard guess password every time you register an account in important site or make an account on a script installed on your server etc... , so my advice to wrote your passwords on a paper away from the computer and make this paper save , this is the only solution i see it very safely. " because systems and technologies could hacked or stole , but surely our memories and our mind can't"
While "georgeinparis" might be a "bad" password, how long do you think it would take ANYONE to guess a password such as "george423crackers"? A long time, I hope, because I use such passwords.
JACK
June 26, 2008 8:49 PM
I take my password (say buddy) then encrypt it with a simple cypher. use alphabet go to first letter put b then add say 3 letters and use that letter in password which would be the letter 'e'and so on. be creative. Read Dale Brown "Digital Fortress"
Will Bontrager
March 28, 2009 9:41 AM
Great post.
One more viable method of remembering a not-easily guessed password: Use the first or second or last letter of each word in an easily remembered sentence.
Example: "My dog (Spot) is 3 years old!" can be remembered and yields "Md(i3yo" or "yoSs3el" or "yg)s3s!".
Comments
Read the article that everyone's commenting on.
October 1, 2006 3:24 PM
One trick I learned from a website is to use the abbreviation for a sentence you can remember. For example: three blind mice, see how they run..
Password: tbmshtr
That's not a bad password, but now we can change "Three" to 3 and add punctuation: 3 Blind Mice (see how they run)
Password: 3BM(shtr)
And that is a pretty secure password. It's easy for you to remember and it's not based on an English word. Moreover, it has the added benefit that if someone happened to see it written out, they're less likely to remember it because it's gibirish. HaX0r 3ng1i$h w0rd$ don't have that benefit.
Also, if I'm about to choose the password for something I care about, I run it through a password strength checker. The best one I've found is at this site: http://www.certainkey.com/demos/password/ (if that gets nixed by the spam filter, google "Certainkey password checker" and it's the first result). Not only is it the strictist checker I've found (no english words allowed), but it gives an estimate of how long a determined hacker would need to crack it. The password above would take aprox. 67,000 days to crack.
October 2, 2006 3:11 PM
If you want to read more about passwords, here's a a blogs that leads to some great articles about passwords and password myths:
http://www.techknowbizzle.com/2006/09/password-myths.html
But back to the discussion, so, what methods can be used instead of passwords? In Korea they're starting to use fingerprints as a form of identification. So intsead of using a password to log in or unlock your computer, you have a built in "digital inkpad" that you press your finger against to gain access to your comp. I don't know how realistic or how soon such a form of security will be implemented in America but it seems like right now the best idea for protection is to use a form of encryption in addition to your password, such as protecting your database of passwords, using applications like Roboform, or accessing secure sites that use encryption for protection. You should also want to also look into encrypting anything else that you might not want others to gain access to, beyond just your database full of passwords. Such as any scans, bank statements, health information, or email that should be protected.
http://seattletimes.nwsource.com/html/personaltechnology/2003209737_ptinbo19.html
October 7, 2006 10:32 AM
If you want to be *really* secure (if you're storing bank access passwords or something), don't just use Truecrypt on your normal Windows computer (and certainly not on a public computer). Put the Linux version of it on a CD or floppy, get hold of a LiveCD Linux distro (such as Ubunutu), and run Trucrypt from there. The purpose of this is to defeat software keyloggers, spyware, invisible PC-anywhere type software, etc. that someone may have installed.
Also, if you suspect someone could have installed a hardware keylogger on your computer (either by replacing your keyboard with an identical one with a keylogger built on, or by putting a small dongle on the end of your keyboard cable -- yes, it does happen) enter your password with the virtual "on-screen" keyboard using the mouse (most OS's have these to help people who have trouble using a normal keyboard).
And of course, if you're doing this at work rather than home, be aware of the positions of any security cameras or people wandering too close behind. Ideally only do this in a room only you have access to.
Remember, you can never be too secure. You can, however, be too paranoid; for which I reccommend a reputable therapist. Hint: any therapist who asks you to disclose your passwords as part of the healing process is automotically not reputable.
October 10, 2006 4:27 PM
Hello Leo:
First of all Leo, I would like you to know how very much I do appreciate your website. Great and most valuable work, my good man!
I would like to tell you what I have done regarding secure passwords. Often when you buy a program on CD, there is a CD-key (product key) which you must type in before the program will install itself. Usually these keys are HUGE! For example, a Windows Xp product key has no less than 28 characters (dashes included)! I use a CD-key from one of my old programs as password. I made a macro (encrypted) of that key, and it recides patiently in my computer, and I can call it up whenever and wherever I need it. Just a click and there it is! Hence my passwords are all the same.
And if something really bad happens to my beloved puter? There’s always that CD in my box of goodies with my “password”. No need to remember a single thing.
In closing a tiny question: If a company for example sells 5 million copies of a certain program, are all product keys the same or different? Just to be on the safe side, I chose my password from a very, very old program nobody uses anymore, hence that ancient CD has become my “password CD”!
If you wish, please feel free to use this info on your website.
Martin Vanderkaa
October 10, 2006 4:36 PM
Yes, each product key is unique, though the same key may be used in a site license purchase, (and of course, pirated copies). But normal run of the mill purchases should each have a unique key.
fwiw, if my math is right, I believe a 25 character product key with letters and digits has 25^36 possible combinations (approx 2 followed by 50 zeros). While I'm sure not all combinations are used, that's more than enough to cover a measily 5,000,000 :-).
June 4, 2007 4:41 PM
The best method I know of to create a password is at http://www.diceware.com
If one is so inclined, it goes over the full mathematics of why it is a secure method of picking a passPHRASE. Just roll some dice, look up the words corresponding with the dice, and there's your password. You end up with a long password, that is truly random, but unlike any other method recommended for passwords, is easier to remember. Combine this with a password keeper like KeePass and you can have all the secure passwords you want.
June 22, 2008 8:48 PM
but to be honest leo , for developers and programmers especially it's too hard to remember hard guess password every time you register an account in important site or make an account on a script installed on your server etc... , so my advice to wrote your passwords on a paper away from the computer and make this paper save , this is the only solution i see it very safely. " because systems and technologies could hacked or stole , but surely our memories and our mind can't"
thank you leo
http://www.fosdir.com
June 24, 2008 10:15 AM
While "georgeinparis" might be a "bad" password, how long do you think it would take ANYONE to guess a password such as "george423crackers"? A long time, I hope, because I use such passwords.
June 26, 2008 8:49 PM
I take my password (say buddy) then encrypt it with a simple cypher. use alphabet go to first letter put b then add say 3 letters and use that letter in password which would be the letter 'e'and so on. be creative. Read Dale Brown "Digital Fortress"
March 28, 2009 9:41 AM
Great post.
One more viable method of remembering a not-easily guessed password: Use the first or second or last letter of each word in an easily remembered sentence.
Example: "My dog (Spot) is 3 years old!" can be remembered and yields "Md(i3yo" or "yoSs3el" or "yg)s3s!".
Will
To post a comment on "What's a good password?", please return to that article's main page.