Choosing a brilliant password

c: | f: /

Plenty of people tell you how not to choose a password and give terrible advice; few tell you how to do it properly. Let me thread you through the minefield.

There are hundreds of sites out there telling you how to choose a good password but they’re all either outdated or offer stupid advice like “change your password every month” or “use numbers in place of letters”.

Quite simply, a brilliant password conforms to the following rules:

  1. Use a phrase or series of unconnected words, possibly interspersing them with characters and symbols instead.
  2. If you can forget it or need to write it down, don’t use it.
  3. Never use the same password twice. Ever.
  4. From (1) it follows that any of the following should NEVER be used:
    1. a single word in any dictionary in any language, including profanities, using any mix of upper and lower case or numbers-for-letters.
    2. some personal information such as your name, initials, family member name, friend, pet, address, postcode, computer system name, birthday, anniversary, significant date, month or year.
    3. your favorite music (group names, albums), book/movie characters or titles, celebrity, or place.
  5. Never use any words (including the above) that fall into the following categories:
    1. double words (dogdog or fredfred).
    2. insults / instructions / jargon (biteme, letmein, foobar).
    3. keyboard sequences (asdfgh, poiqwe, 123456789).
    4. reversals or switchers (terces, derfderf, wordpass).
    5. numeric prefix/suffix (fred1, biteme2010, 1970god).
    6. numeric replacements (fr3d, f00bar).
  6. The longer the better.
  7. Try to throw in some numbers, symbols and a mix of upper and lower case letters OR use multiple words (minimum of four). Or mix both systems if that’s your thing. Just make it long.
  8. Never let any software store your passphrase on your behalf to auto-login: you’ll forget it unless you type it in frequently. You’ll be surprised how quick you can become at typing even 15 or 20 character passwords if you do it often enough (a caveat is if you’ve bought a password generator like 1password which manages keys securely on your behalf. They’re okay, providing you protect the program itself with a stupendously good password).
  9. Change your password whenever you feel the urge or if you suspect someone saw you type it, you divulged it in your sleep, or your computer/network is compromised. But never change it on a schedule.
  10. Never listen to anyone who claims Biometrics is secure: if your fingerprint or iris is compromised, you can’t change it. Your password can always be changed.

That’s a pretty comprehensive checklist, but what can you do if you can’t use all the easy stuff and need inspiration? My favourite idea beyond modging together a bunch of random words is to choose a line from one of your favourite movies or books — maybe even its title — and take the first letter of each word then play around with it to make up your passphrase. Examples:

  • Star Wars Episode V: The Empire Strikes Back — SWEp5:tESB
  • Michael Jackson “She was more like a beauty queen from a movie scene” — MJSwmlabq,famS
  • “A rose by any other name would smell as sweet” — aRosebaonwsas
  • Linux/UNIX rocks and puts Windows to shame: *nixRox&pW2s
  • “There’s No Business Like Show Business” from Annie Get Your Gun: tnblsb<-AGYG

See how easy it is to be creative? Now you have no excuse :-)

3 muppets could be bothered to write something

    Maniquí

    Arrived here from TXP admin, when trying to change my password! What a surprise, I didn’t know that feature. Is it built into TXP or is it some smd_ trick?

    Anyway, struggling with passwords…
    Choosing a line from books, movies or songs and then using the initials is a good trick that I implemented a few times (using some variations, like using the exact line but mixing it with some l33tsp34k). But then, it comes the problem of having different passwords on different websites and try to remember them all.
    Of course, you could use the same really-difficult-to-crack password on many or every website, but we know that’s not good advice.

    For example, I’ve a few different passwords. For not-so-important stuff/websites I use one or two easy-to-remember (and probably easy to hack) passwords. On other more important websites, I use more complex passwords (also, a few of them), but i struggle to remember them all.

    I’d like to find a better strategy, a One Trick To Remember Them All.

    In any case, there is this XKCD comic strip
    http://xkcd.com/936/
    which may be a bit against the advice you give (about not using dictionary words).
    But then, if you try a long passphrase using a few easy-to-remember dictionary words (i.e. cowboynovemeberspacetime), it would take 454 quadrillion years to get cracked (according to TXP’s feature or also according to this http://howsecureismypassword.net/)

    Stef Dawson

    Aha, yes, it’s an smd_prognostics trick that redirects here. Never miss an opportunity for a shameless plug :-)

    And yes I sometimes struggle too over time; especially with my nearly 60 e-mail accounts, some of which I don’t use very often. But it keeps me sharp having to try and remember them!

    I agree that random letters and numbers from a movie quote only works if you’re diligent or use the account frequently. As xkcd say, the multi-word (where multi >= 4) approach is also very good and often better. I forgot to mention that in the article, so thanks for bringing it up.

    You also seem to have come up with the same strategy as me: multiple ‘grades’ of password. Throwaway spam hotmail accounts for registering with companies tend to get the lowest grade — and often the same password because I don’t care if they’re hacked. But things I do care about — gmail, primary hotmail, Txp logins, SFTP credentials, etc — get better passwords: either similar ones with different letters/numbers/case or completely unique ones for things I care about most deeply.

    Just don’t get me started on that so-called stupid “RBS Secure” crap. What a heap of junk that is. In fact I can feel a blog post coming on about that very topic…

    Leonard

    Man this is some good stuff! Ill be putting this to use! dd1

Connect brain to digits

(required)

(required, never made visible)

(optional, linked with rel="nofollow")

(required)