How To Choose A Secure Password

In order to know if your password is secure, you’ll need to understand certain basics about how passwords are used. I’ll use some example passwords in this post. These are examples only; do not use as your password.

A password can be used, like a key to a safe, in order to encrypt data and decrypt data. A password can also be used to access certain websites or online accounts. In such cases, the data should be encrypted by the system used on the website — but most sites give little or no information about their security of your information.

However, a password is not used directly as the encryption/decryption key. Instead, to make it more secure, the password is hashed. A hash is a non-mathematical function used to convert a string of characters or a digital file into a random-looking set of zeros and ones of a particular length. The zeros and ones are usually represented in Hexadecimal format with the digits 0 to 9 and the letters a to f. Examples using the common MD5 hash function:

password — MD5 hash
password123 — 482c811da5d5b4bc6d497ffa98491e38
123456 — e10adc3949ba59abbe56e057f20f883e
letmein7 — 9a02b55e072d71503831a887b1756a8f

The password examples above are all poor passwords, but the hashes look secure. The hash is what is actually used to encrypt the data. Why are certain passwords insecure when the actual key used for the encryption is long and random? It is because hackers can take a list of common passwords and generate, in advance, a list of the hashes.

Now if your password is very common and very insecure, like “password123″ or “654321″, anyone can go online and with a few guesses perhaps access your account. But the more serious problem occurs when a hacker obtains a database from a website of hashed passwords. All they have, initially, is the hash, not the actual password. But they can run a program that tries a large number of possible passwords, generates the hash, and then compares that hash to the database. When they find a match, they know the password.

See this Bruce Schneier post on passwords and the ArsTechnica article that he references.

A hacker with just a desktop computer can run every possible six character password through a hashing program, and check it against a database of hashed passwords. In other words, no 6 character password is secure. At 7 or 8 characters, the password becomes more resistant to a “brute force” attack, i.e. a test of every possible combination of characters of that length. By 9 or more characters, the length of the password is relatively secure (though not against a well-heeled opponent like the NSA).

The same hacker can easily test every word in the dictionary, as well as every word in the dictionary with one, two, three, or four numbers (or characters and numbers) added to the end. So these examples of passwords are not secure:


In short, any password containing a dictionary word, or a name or other common word, is not secure, even if you add numbers, or letters and numbers to the end. Even a password with multiple words plus numbers is not secure:


The reason is that a hackers “dictionary” includes not only the words in an actual dictionary, but also phrases that are commonly used as passwords. This type of hacker dictionary is obtained partly from lists of cracked passwords that have been obtained by other hackers in the past and posted online.

Now you might think that if you combine two passwords using the word-number formula, it would be safe. Not so. Passwords like these:


are not secure because hackers will also take the terms (words, phrases, common passwords) from their hacker dictionary and try every combination of two passwords. So if “fishing493″ and “boat998″ are both in the dictionary, a check of every combination will find: fishing493boat998

The solution to this problem? Follow a few simple password rules:

1. no dictionary words at all
2. no phrases
3. do not use the common formula of word-number or number-word
4. passwords should be 9 characters or more

I also suggest using Password Safe to generate secure passwords and to store those passwords in encrypted form. To generate a password with Password Safe, click Manage | Password Policies, then choose the default and click Edit. Next, set the password policy, i.e. whether the password will contain numbers, upper or lower case letters, or symbols. The “Generate” button on the same screen, or in any password database entry, can then be used to create a new random password.

If you need an easier to remember password (that is a little less secure), choose a password length of at least 9 characters, with only uppercase letters and numbers. Then, once the password is generated, choose some characters to be lowercase that would also be easy to remember (like the first few or last few letters). So “TT6C9YGUU” becomes “tt6C9YGuu”. You can also make the password easier to remember by using a separator symbol. So “RTVXMBGJAMY6″ becomes “rtVX*MBGJ*Aty6″.

For important files that are encrypted on a backup external hard drive, use a long random password that you have thoroughly memorized. There is no substitute for memorization, since even your Password Safe database needs a password to access it.

– Thoreau

One Response to How To Choose A Secure Password

  1. I’ve done IT security since the mid 90s. I can tell you one simple thing when it comes to passwords. The average person ain’t ever gonna remember something secure. Unfortunately this is absolute truth in I’d say 95% of people. I’ve guessed passwords of people just by talking to them in the past.

    Every site or what ever applications you utilize needs a different password so if one is compromised the rest are not. Now with the way the internets operate that just means in excess of 100 passwords at times depending on how many sites you log into. That’s a lot for the average person to remember.

    One needs a very good way of figuring out how to correlate a sentence they can remember into a very secure password. Unfortunately I will not give anyone my method as it’s stupidly ridiculous and I do not wish to give up the way I’m able to memorize passwords that are 30 or more characters in apparently a random fashion.

    When I can I do prefer key authentication. To me this is one of the best ways of making certain you can revoke credentials when need be as well as keeping things secure. One can also implement a policy to change keys at a certain duration or make that duration random to keep people guessing.

    When it comes down to network security one also has to look at other vectors of attack, passwords and keys are not the only way to make certain information is not stolen. There are literally millions of ways to obtain information off of a device or application if the proper people are motivated enough to grab it.

    There’s really only one true way for security about any information you *truly* care about. Keep it in your head. If you must pass information onto another you must have complete trust that they will save your life. Then if you need to pass this information onto said people an established network of one time pads is the absolute best way to keep it private.

    The other way to keep your life secret or at least protected on the intarwebs is to separate your true self from your online profiles. Sure share life events and all that crap. You still need to separate everything and this takes a lot of discipline. It also requires one remembering what is what and how to deal with it.