Helping people with computers... one answer at a time.

Research has shown that the most important technique in creating a secure password might not be what you think! Here's a hint... it's not special characters!

If special characters are not allowed in a password, what hints do you have to make the most secure password?

In this excerpt from Answercast #34, I look at the most important technique for making a safe password: length.

A secure password

That's actually pretty easy. (It's also unfortunately, fairly common. I've seen a number of sites that restrict your password to only letters and numbers.)

  • The answer's pretty simple: just make your password longer.

Where you might be tempted to enter in only eight characters or perhaps ten, add a couple of more: go for twelve or fourteen or sixteen. It doesn't have to be even numbers. Go for fifteen if you like.

Length matters

The important thing here is that:

  • Length matters more than other techniques we've been introduced to to make sure our passwords are strong.

It's been theorized that an eight-character password that has completely random characters in it (including special characters) is technically less secure than, say, a ten-character or twelve-character password that has only alphanumerics in it.

So simply make your password longer.

Restricted lengths

Now, unfortunately, and I'm seeing this from time to time as well:

  • Some services don't allow you to have an arbitrarily long password.

There's actually no reason for that – no technical reason for that and yet some of systems have that. If you're limited to an eight-character or ten-character password, then:

  • Maximize the length of your password to as long as that system will accept, and then

  • Make sure to use as many different kinds of characters as they do allow.

But, in general, if you can get yourself up to 12 characters, I'm actually OK with you using only alphanumeric characters.

Article C5569 - July 10, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
Ron
July 13, 2012 9:56 AM

You touched on the obvious answer, but didn't explicitly state it.

USE UPPER CASE.

Many of the recently published hacks point out that most passwords are lowercase. Simply adding a mix of upper case letters to your password significantly reduces the chance of hacks, especially if they are not first or last letters.

KRS
July 13, 2012 3:35 PM

As explained on Steve Gibson's site, https://www.grc.com/haystack.htm, in addition to using at least one capital and one lower case letter, periods, commas and spaces are just as effective at adding length as special characters, and length is the primary protection. 123456 is trivial. 1 2 3 4 5 6 or 1.2.3.4.5.6. are not.

Pablo
July 13, 2012 7:11 PM

Dear Leo, you that Internet Safety cost U4 2,99 on Kindle, Kindle charge U4 4,99 for the book.
Regards

Patrick C
July 14, 2012 4:13 AM

Hi,
I think that you have covered most of the issues re. passwords (apart from obvious advice such as not posting passwords over the net, not writing them down on "sticky notes" or not giving them to colleagues when you're going on vacation).
There's one thing I remember from long long time ago (i.e. the age of the Commodore 64 and the likes): using backspaces in such a way that on screen the characters following those backspaces SEEMED to be overwritten. Wouldn't that be a good idea to implement on today's sites or incorparate in enduser programs that use password protection? Perhaps someone might even earn a buck or two for writing the code, or even better: make it available to the general public ;-)
Of course it wouldn't keep malicious hackers from stealing passwords nor keep users and sysadmins from continuing "bad practice"...
Greetz,
Pat.

Dave
July 14, 2012 12:55 PM

Leo,

As one of the more paranoid web users out here, I have pretty much stayed away from using my Hotmail account for anything really important because of their insistence on limiting passcodes to 16 characters. (Most of the passcodes for my other email accounts are 30+ characters.) And I'm also wary because of the frequency with which Hotmail accounts are attacked and successfully cracked (or hacked). I often think of my Hotmail account like my grandpappy's old country house: Doors rarely locked (i.e. poor security) but no articles stolen. IOW, I feel like my Hotmail account isn't necessarily *safe*; it's just not (yet) targeted.

But you're saying that 15-16 characters can actually succeed at being a good, safe, secure passcode these days despite all the brute force capabilities and such that exist ? You'd have no worries at all with a Hotmail account with such a passcode ?

"No" worries is a bit strong, but yes, I believe 12 characters or more is sufficient today, given that the password you choose is not obvious.
Leo
14-Jul-2012

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.