How to make great passwords
28 August 2007
- Think of a memorable, eight or nine-word sentence like “Fred is a bad ninja but has 3 nunchucks”.
- Take the first word of every sentence to turn it into a password. Result: “Fiabnbh3n”
- Test your password using Microsoft Password Checker
That’s it. You’re done! You’ll find that this method results in remarkably easy to remember and strong passwords.
Read more about passwords
Comment by gregor — 29 August 2007 @ 1:10 am
I don’t think this is a good solution. Good passwords are random character sequences. Passwords created using the sentence technique are not random at all:
* first letter will always be capitalised (or none if people switch to all lower case)
* there will be few numbers
* the (non-random!) distribution of first letters in englisch words can be exploited by passwords guessers
I think a better solution is using some tool (https://www.grc.com/passwords.htm came up in a quick google search) to create a really random string and learning that (or a substring) by heart.
Comment by Ian Saxon — 29 August 2007 @ 6:25 am
Great comment! You’re right that this type of password is created using a non-random process. However, despite the limitations you mentioned, password strings created using this method should be close to random from the perspective of someone (or a machine) trying to guess it.
As for each of your points:
– “first letter will always be capitalised”: probably, although you could choose not to
– “there will be few numbers”: compared to the number of letters, yes. However, even with just one number, a password guesser has to guess which number (0-9) and where it goes in the eight to nine word sentence. Not easy, as there are millions of combinations.
– “the (non-random!) distribution of first letters in English words can be exploited by passwords guessers”: Interesting, although I’m not sure how big an advantage this gives to guessers.
For those who would like to add more security, I would suggest adding one or more special characters to a password. So, if your password was made from “Debbie and Sally ate together in Beijing on Thursday”, you might turn it into “D@$8tiB0T”.
Something I’ve mentioned many times on this website is that there is no such thing as perfect security. Gregor, you may be right that the most secure passwords are created by machines, because they are completely random. It’s also true that the most secure passwords are upwards of 16 characters long. The trouble is, most people would prefer to use a crappy but easy to remember password than one that is secure but hard to remember. My thinking is that the average person (myself included) would be better off knowing the method to create a pretty darned secure password that they actually use than they would if I told them about the very best method that they never used.
What do you think?
Comment by gregor — 3 September 2007 @ 8:35 am
very true, using the sentence approach is *way* better than using your wife’s name or a birthday as a password. when i wrote the comment i was thinking about my first usage of a really safe password – it was a computer-generated one that i could not change. i hated it in the beginning, but even now, years after i used it for the last time i still remember it – and nobody could have ever gussed it.
as for the advantage of the non-random distributions of characters: when an attacker tries to guess a password he is likely to get a match with a sentence-password earlier than with a truly random one. because he can test for those passwords with more common characters first. suppose the attacker thinks “the password probably does not contain the five characters that are least likely the beginning of an english word”. that would save a substantial amount of time crunching through all possible combinations than including those 5. but i admit, for long passwords this will only be a theoretical advantage. because it really doesn’t matter whether the attacker needs one million or two million years to find the password 🙂
Comment by Idetrorce — 15 December 2007 @ 8:14 am
very interesting, but I don’t agree with you
Comment by Ian Saxon — 15 December 2007 @ 9:48 am
Idetrorce, care to explain why?
Pingback by Bad passwords everywhere | Defending The Kingdom: Security and Privacy in Your Digital Life — 30 December 2007 @ 4:47 pm
[…] It’s unlikely that you have much to hide from the courts, but you have important email and bank accounts that you should keep secure with a strong password. Using great passwords is one of the easiest and most effective means of staying secure on the net. Here’s how to make great passwords. addthis_url = ‘http%3A%2F%2Fwww.defendingthekingdom.com%2Farchives%2Fbad-passwords-everywhere’; addthis_title = ‘Bad+passwords+everywhere’; addthis_pub = ”; […]
Pingback by What’s your secret question? | Defending The Kingdom: Security and Privacy in Your Digital Life — 27 September 2008 @ 6:34 am
[…] Making strong and easy to remember passwords is amazingly easy. But what do you do when you’re asked to choose a secret question for an account – something like, “What is your mother’s maiden name?” or “What was the name of your first pet?” […]
Comment by white knight 1012222 — 24 April 2009 @ 1:40 am
Makeing a completly random encrtyped password from grc.com is probably a good start there are many other good sites out there to use anyother thing i like to do is copy and past my passwords to a wordpad document<place in new folder dont call it passwords!!! call it pics or downloads…and encrypt the main mother file…then transfer it to flash drive this will secure it even more and you will always have it for future reference incase of a meltdown or hardware failiar…hope this helps some people!
Pingback by Don’t settle for weak passwords | Defending The Kingdom: Security and Privacy in Your Digital Life — 6 December 2009 @ 7:03 pm
[…] If you want a simple way to create, store, and use strong passwords, get Password Safe.You need only remember one password – the master password that grants access to your password database. Making a suitable password is easy, as I’ve written about before. […]
Trackback by The Social Media Traffic Generation — 9 September 2010 @ 5:37 am
How To Create A Super Password…
According to new findings published by the Georgia Institute of Technology, traditional 7 to 8-digit passwords can no longer guarantee a network’s security. Indeed, the increasing availability of powerful graphic processing units means that it is…
Pingback by Shop online safely | Defending The Kingdom: Security and Privacy in Your Digital Life — 29 November 2010 @ 3:10 am
[…] as changing your password to something marginally more complex than the typical internet user’s password makes you an undesirable target, doing a bit of […]
Pingback by The backdoor problem | Defending The Kingdom: Security and Privacy in Your Digital Life — 22 December 2011 @ 2:52 pm
[…] the possibility that you forget the master password that unlocks the database. If you’ve used this method, that should never happen. But sometimes bad things do happen, and you should plan for that. […]