Comments on: How to make great passwords

By: Don’t settle for weak passwords | Defending The Kingdom: Security and Privacy in Your Digital Life

Sun, 06 Dec 2009 11:03:52 +0000

[...] If you want a simple way to create, store, and use strong passwords, get Password Safe.You need only remember one password – the master password that grants access to your password database. Making a suitable password is easy, as I’ve written about before. [...]

By: white knight 1012222

white knight 1012222 — Thu, 23 Apr 2009 17:40:55 +0000

Makeing a completly random encrtyped password from grc.com is probably a good start there are many other good sites out there to use anyother thing i like to do is copy and past my passwords to a wordpad document

By: What’s your secret question? | Defending The Kingdom: Security and Privacy in Your Digital Life

Sat, 27 Sep 2008 13:34:12 +0000

[...] Making strong and easy to remember passwords is amazingly easy. But what do you do when you’re asked to choose a secret question for an account – something like, “What is your mother’s maiden name?” or “What was the name of your first pet?” [...]

By: Bad passwords everywhere | Defending The Kingdom: Security and Privacy in Your Digital Life

Sun, 30 Dec 2007 23:47:42 +0000

[...] It’s unlikely that you have much to hide from the courts, but you have important email and bank accounts that you should keep secure with a strong password. Using great passwords is one of the easiest and most effective means of staying secure on the net. Here’s how to make great passwords. addthis_url = ‘http%3A%2F%2Fwww.defendingthekingdom.com%2Farchives%2Fbad-passwords-everywhere’; addthis_title = ‘Bad+passwords+everywhere’; addthis_pub = ”; [...]

By: Ian Saxon

Ian Saxon — Sat, 15 Dec 2007 16:48:58 +0000

Idetrorce, care to explain why?

By: Idetrorce

Idetrorce — Sat, 15 Dec 2007 15:14:55 +0000

very interesting, but I don’t agree with you
Idetrorce

By: gregor

gregor — Mon, 03 Sep 2007 15:35:06 +0000

Ian,

very true, using the sentence approach is *way* better than using your wife’s name or a birthday as a password. when i wrote the comment i was thinking about my first usage of a really safe password – it was a computer-generated one that i could not change. i hated it in the beginning, but even now, years after i used it for the last time i still remember it – and nobody could have ever gussed it.

as for the advantage of the non-random distributions of characters: when an attacker tries to guess a password he is likely to get a match with a sentence-password earlier than with a truly random one. because he can test for those passwords with more common characters first. suppose the attacker thinks “the password probably does not contain the five characters that are least likely the beginning of an english word”. that would save a substantial amount of time crunching through all possible combinations than including those 5. but i admit, for long passwords this will only be a theoretical advantage. because it really doesn’t matter whether the attacker needs one million or two million years to find the password

By: Ian Saxon

Ian Saxon — Wed, 29 Aug 2007 13:25:31 +0000

Hi Gregor,

Great comment! You’re right that this type of password is created using a non-random process. However, despite the limitations you mentioned, password strings created using this method should be close to random from the perspective of someone (or a machine) trying to guess it.

As for each of your points:

- “first letter will always be capitalised”: probably, although you could choose not to
- “there will be few numbers”: compared to the number of letters, yes. However, even with just one number, a password guesser has to guess which number (0-9) and where it goes in the eight to nine word sentence. Not easy, as there are millions of combinations.
- “the (non-random!) distribution of first letters in English words can be exploited by passwords guessers”: Interesting, although I’m not sure how big an advantage this gives to guessers.

For those who would like to add more security, I would suggest adding one or more special characters to a password. So, if your password was made from “Debbie and Sally ate together in Beijing on Thursday”, you might turn it into “D@$8tiB0T”.

Something I’ve mentioned many times on this website is that there is no such thing as perfect security. Gregor, you may be right that the most secure passwords are created by machines, because they are completely random. It’s also true that the most secure passwords are upwards of 16 characters long. The trouble is, most people would prefer to use a crappy but easy to remember password than one that is secure but hard to remember. My thinking is that the average person (myself included) would be better off knowing the method to create a pretty darned secure password that they actually use than they would if I told them about the very best method that they never used.

What do you think?

By: gregor

gregor — Wed, 29 Aug 2007 08:10:30 +0000

I don’t think this is a good solution. Good passwords are random character sequences. Passwords created using the sentence technique are not random at all:
* first letter will always be capitalised (or none if people switch to all lower case)
* there will be few numbers
* the (non-random!) distribution of first letters in englisch words can be exploited by passwords guessers

I think a better solution is using some tool (https://www.grc.com/passwords.htm came up in a quick google search) to create a really random string and learning that (or a substring) by heart.