Summary: Good passwords are hard to crack and hard to remember. As a result, many people don't use really good passwords, even though they should. We'll look at what makes a good password, and some ways to make them easier to remember.
I told my friend my password, and she said it was a really bad one. What does it mean to have a "bad" password? And what's a "good" one, then?
•
You told someone else your password? Yikes! I've seen more accounts get stolen by that one simple act than by any other single cause. I sure hope you know what you're doing - most people that have told a friend their password have come to regret it.
So what's a bad password? One that someone could easily guess.
A good password? One that's hard to guess, of course.
The problem is that people are way better guessers than you think. And it gets worse if the guesser starts using a computer to do the "guessing" for them.
•
What's a bad password?
A bad password is any password composed of common words or names, particularly if the password is short. For example, "iLoveMikey" is a bad password. "mydogspot" is a bad password. "GeorgeInParis" is a bad password. All are simply combinations of words or names. On top of that, many people choose bad passwords that express information that someone who knows you might be able to guess. If your boyfriend's name is "Mikey", your dog's name is "Spot", or you met someone named "George" during a trip to Paris, these are all things that people who know just a little about you can use to start making some educated guesses as to what your password might be.
And as I said, people can be really good guessers.
The irony is that the people who know you the best - your friends - are the ones who can probably make the best guesses and are the most likely to guess your password if it's a bad one.
Another problem with passwords made up from words and names is that it's really easy for a determined hacker to set up a computer with a dictionary of words and names and have it start trying combinations until something works.
What's a good password?
A good password is a long random sequence of characters - letters, numbers and any "special characters". "qicITcl}" is a good password. "rAg2imWOIgIf47IM24busml6kpetPF9UGRpPAFBMCoSmSTptbDcOxwcG3aPoa79" is a great password. The best passwords are made up of completely random characters and as long as you can make it.
You can see the problem - great passwords are impossible to remember. So if you can't remember it, what good is it?
The solution is either a compromise, or the use of some technology.
The compromise
The compromise I use works like this:
-
I never include full English words or names - instead I use misspellings or phonetic sound-alikes
-
I always include a mix of uppercase and lowercase letters and numbers
-
I always make sure the password is at least eight characters long, preferably longer
So, for example, while "Macintosh" is bad, "Mac7T0sh" might be good and probably easier to remember. "HondaPrelude" is bad, but "Pre7ood6" is much, much better.
The bottom line for this compromise: pick a random looking password that YOU can remember but that "they" would never guess - and as I've said a couple of times, always assume that "they" are always really great guessers.
Using Technology
Never, ever, write your password down on a piece of paper near your computer. Paper is definitely not the technology I'm talking about. It's amazing how many passwords are stored on sticky notes right on the monitor, under the mouse pad or in a desk drawer. It's not that hard for the motivated to go searching and find all that.
My old approach was to use an Excel spreadsheet with all account names and passwords - in fact I still do for much of my sensitive information. By itself, that's incredibly insecure and dangerous. Anyone who can get a hold of that spreadsheet has everything. Other people use simple text files that suffer from the same fundamental flaw - it's the moral equivalent of a sticky note. Anyone who has access to the file has all the passwords.
The solution is to encrypt the file. I'm not talking about the encryption built into applications like Excel - which I'm led to believe is reasonably easy to defeat - but an "industrial strength" encryption solution such as TrueCrypt. Using TrueCrypt, you can control exactly when the information is actually visible, and the rest of the time it remains safely encrypted.
My current approach for website logins is to use RoboForm. RoboForm captures passwords when you enter them as you visit websites requiring login and then remembers them for you in an encrypted database. When you return to that site, RoboForm makes the login available for you automatically. It includes a handy random password generator. Since RoboForm remembers passwords for you, you can use completely random strings - the most secure passwords possible, as I described earlier.
But - be aware that RoboForm and the TrueCrypt-style of encrypted solutions both require one thing: a password to decrypt the database of passwords. That password needs to be something you can remember, yet something secure. However, remembering that one password then opens up the vault to your entire set of accounts and passwords.
Related:
-
Ask Leo! - Dictionary Attack: What is it?
-
Ask Leo! - How can I keep data on my laptop secure?
Article C2799 - October 1, 2006
Hello Leo:
First of all Leo, I would like you to know how very much I do appreciate your website. Great and most valuable work, my good man!
I would like to tell you what I have done regarding secure passwords. Often when you buy a program on CD, there is a CD-key (product key) which you must type in before the program will install itself. Usually these keys are HUGE! For example, a Windows Xp product key has no less than 28 characters (dashes included)! I use a CD-key from one of my old programs as password. I made a macro (encrypted) of that key, and it recides patiently in my computer, and I can call it up whenever and wherever I need it. Just a click and there it is! Hence my passwords are all the same.
And if something really bad happens to my beloved puter? There’s always that CD in my box of goodies with my “password”. No need to remember a single thing.
In closing a tiny question: If a company for example sells 5 million copies of a certain program, are all product keys the same or different? Just to be on the safe side, I chose my password from a very, very old program nobody uses anymore, hence that ancient CD has become my “password CD”!
If you wish, please feel free to use this info on your website.
Martin Vanderkaa
Posted by: Martin Vanderkaa at October 10, 2006 4:27 PMYes, each product key is unique, though the same key may be used in a site license purchase, (and of course, pirated copies). But normal run of the mill purchases should each have a unique key.
fwiw, if my math is right, I believe a 25 character product key with letters and digits has 25^36 possible combinations (approx 2 followed by 50 zeros). While I'm sure not all combinations are used, that's more than enough to cover a measily 5,000,000 :-).
Posted by: Leo Notenboom at October 10, 2006 4:36 PMThe best method I know of to create a password is at http://www.diceware.com
Posted by: Richard at June 4, 2007 4:41 PMIf one is so inclined, it goes over the full mathematics of why it is a secure method of picking a passPHRASE. Just roll some dice, look up the words corresponding with the dice, and there's your password. You end up with a long password, that is truly random, but unlike any other method recommended for passwords, is easier to remember. Combine this with a password keeper like KeePass and you can have all the secure passwords you want.
but to be honest leo , for developers and programmers especially it's too hard to remember hard guess password every time you register an account in important site or make an account on a script installed on your server etc... , so my advice to wrote your passwords on a paper away from the computer and make this paper save , this is the only solution i see it very safely. " because systems and technologies could hacked or stole , but surely our memories and our mind can't"
thank you leo
Posted by: peter at June 22, 2008 8:48 PMhttp://www.fosdir.com
While "georgeinparis" might be a "bad" password, how long do you think it would take ANYONE to guess a password such as "george423crackers"? A long time, I hope, because I use such passwords.
Posted by: Julian Adams at June 24, 2008 10:15 AMI take my password (say buddy) then encrypt it with a simple cypher. use alphabet go to first letter put b then add say 3 letters and use that letter in password which would be the letter 'e'and so on. be creative. Read Dale Brown "Digital Fortress"
Posted by: JACK at June 26, 2008 8:49 PMGreat post.
One more viable method of remembering a not-easily guessed password: Use the first or second or last letter of each word in an easily remembered sentence.
Example: "My dog (Spot) is 3 years old!" can be remembered and yields "Md(i3yo" or "yoSs3el" or "yg)s3s!".
Will
Posted by: Will Bontrager at March 28, 2009 9:41 AMYou can also just use words that don't exist, at least that's what I do.
For example table and chair are normal English words, but Vorlesmit and Garkolnat aren't and then you combine such words and add numbers and special characters to em and upper/lowercase them and you have a password that can't be found in any dictionary; "Vorles@Gark.159!"
no, that's not my password, it's just an example :) (or is it?)
23-Jul-2009
In a nutshell a good password is one that is composed of alphanumeric characters. Let me touch on the spot many havent touched; Virues, easy and straight forward passwords are very vulnerable to virues. Make your system secure with a password thats not easy to crack, a combination of alphabet and numeric characters, thats a good password.
Posted by: Martin at August 31, 2009 1:09 AMFor the absolute ultimate "Last Word" in passwords, read the book "Perfect Passwords" by Mark Burnett. You can snag it on Amazon for under twenty smackers, plus S&H, at:
Bottom line: The "Perfect" password will contain all of the following six elements: (1) Randomness in character selection, (2) Length (more than 16 characters), (3) Lowercase letters, (4) Uppercase letters, (5) Numbers, and (6) Punctuation or symbols.
Bottom line: The more of each of these elements you can add to your password, the more secure that password will be!
Posted by: Glenn P. at October 3, 2009 1:38 AM