Alex headshot

AlBlue’s Blog

Macs, Modularity and More

Choosing a good password

Howto 2005

With a disparate number of systems requiring logons these days, it can be hard to choose a good/unique password for each system (or even use the same password for each). To help out those who are trying to come up with a good password, here's a list of do and don't recommendations:

  • Passwords shouldn't be shared. As a general rule, your password details should be different for each system that you use. The rationale for this is if a password is compromised (someone finds it out) then they can't log on to any other systems that they may know about. This is especially true of on-line banking systems and others that control serious aspects of your life; you should never share any passwords amongst these systems.
  • The password should be strong. Simple passwords, like the ubiquitous password, are simply too weak to use in today's society. Most password systems can be cracked with something called a brute-force attack. In these breaks, an attacking system can try using a dictionary (a large list of words) and try each one of those against the remote system. Replacing a letter with a digit (for example, replacing the letter 'oh' with the number 'zero' is a known trick -- by both password choosers and password breakers. In fact, using a number is a pretty poor choice for using a password, because it means that your word is pretty much guaranteed to have a one or zero in, and thus the attacker has to search many fewer combinations. (Passwords like 'zebra' don't have any letters-that-can-be-transposed, and so aren't used that often :-)
  • It should be easy to remember. Should go without saying, but you should never write your password down. Using lots of numbers, letters with mixed case, and punctuation symbols is a good recipe for a strong password, but if it gets written down on a post-it note next to your monitor, it's not very strong at all.

So, how do you go about choosing a password for such a system? Well, although passwords like asdfgh seem random enough, they're not much different from qwerty which (although being as random, is probably instantly recognisable). Humans aren't that good at picking letters, and even using adjacent keys like qazwsx isn't as secure as you might think. A number of messages encyrpted on Enigma machines were broken simply because the 3-character salt that preceeded each message was often not as random as the operators thought.

One good way of creating a password is to think of a phrase, like "I must remember to get the dog washed today". You can then take the initial letter of each word and distil a password like Imrtgtdwt. Of course, you don't just have to use the cases that you would have thought of; for example, you might capitalise every second letter, or every third letter, or every vowel, or every letter typed with the left hand ... although if you're using a solid rule like that all the time, it doesn't add much to the security of the password. You should try using a different technique every time that you need a new password, and possibly use something in the phrase like "I must remember to capitalise every third letter" would be imRtcEtl.

If you are going to use a phrase-based approach (and this is of course assuming that your password must be between 6-13 characters long :-) then don't think of anything obvious. If you're a Don Maclean fan (or more recently, Madonna), then 'allta' might become more understandable. Or, if it's that time of year again, 'hb2hb2u' isn't likely to be as random as you think. It's really best to come up with a completely random phrase like 'Alex Blewitt wears wacky ties at EclipseCon' to get ABwwt@EC.