Last Updated on May 12, 2018 by Dave Farquhar
Most passwords aren’t good, because humans just aren’t very good at making good ones and computers are much better at guessing them than at telling humans whether they are good. So here’s how to create a good password.
The reason for 8-character passwords
Did you ever wonder why people require passwords to be 8, 9, or 12 characters long? And why the rule keeps changing? It’s because of the reason for the rule in the first place.
The rule of 8-character passwords dates to the 1990s. In the 90s, it took about a year to cycle through all of the possible 8-character passwords. So the thinking was that if they required everyone’s password to be 8 characters long, kept people from using the easiest ones to guess, and made people change them every 90 days, it would minimize the chances of someone guessing someone else’s password.
The rules changed because computers are much more powerful today. In 1994 I bought a computer for $1,400. If I were willing to spend that today, I could get a computer 800 times as powerful, by a quick, conservative estimate.
That’s why computers can do so much more than they could in 1994. This web site was not possible with 1994 technology. But by today’s standards, it’s not even an ambitious site. But with the power to do good things comes the power to do bad things.
To meet those 1994 standards today, passwords have to be about 12 characters long, but you can’t pick which characters.
That’s obnoxious and unreasonable. If we follow that rule, what’s going to happen is people are going to create one 12-character, computer-generated password, and use it for everything. And that will cause a different problem. We have to do something else about it.
How to create a good password, according to British spooks
The British GCHQ, which stands for Government Communications Headquarters, is the British NSA. Their advice is to take four random words, capitalize them, and use that as a password.
I’ve had lots of discussions with people arguing with the math. Or my math, at least. I’ll freely admit that my math may overestimate the strength of that kind of password. I’m not an accomplished mathematician, and I’m not an accomplished software developer either. My way to go about guessing the possible passwords may not be the most efficient way.
But what I can tell you is that in analyzing 42 gigabytes of stolen passwords, there are very few, if any, passwords in that list that match the GCHQ’s advice. Yes, in spot-checking some passwords, I did find some 4-word passwords, but they weren’t random.
And not many web sites will let you use a password like that as-is. They’ll insist on you adding a number and a symbol to it. So by the time you add a number and a symbol to satisfy password requirements, in practice you have a pretty good password. Even if we can’t agree on the math.
If you want to go the extra mile, add a fifth word.
Let me emphasize that the key is using random words, and ideally not random words you pick. The counterargument usually centers on disagreement over how many words are in the English language, and how many words are in the average person’s vocabulary. If you pick random words from random pages in a book, the meager average vocabulary becomes less of an issue. Most authors have pretty good vocabularies. If you’re really worried about it, use one or two selections from the Dictionary.com word of the day in your password. That includes words like biophilia and tyro.
Don’t rely solely on selections from the Dictionary.com word of the day though. It’s a collection of obscure words, but it’s only a few thousand words.
Still not good enough for you? Go with machine-generated passwords then. And there’s a trick to not have to remember them.
How to create a good password with a computer
If you want better passwords than four or five random words, we’re back to machine-generated passwords. The web site will tell you the longest password they allow, and will tell you what characters they allow. One of the security tools I use every day doesn’t allow certain special characters, but I always forget which ones by the time it’s time for me to change my passwords. I once banked at a bank that only allowed upper and lowercase numbers and letters, and didn’t allow any passwords longer than 9 characters. That’s not good. I don’t bank there anymore.
Now, visit a password-generator web site. Just search for one with your favorite search engine. The specific one you use doesn’t matter. Most will generate passwords for you and let you choose the mix of characters and the length. Choose the longest length the site in question allows. Hey, if we’re going down the slippery slope of four words not being good enough, I’m not letting you off the hook.
But I know you’re asking what if the password-generating web site saves my password? I’m a step ahead of you. Change a few of the characters. Not all of them. Due to the way web sites store their passwords, it’s not possible to see how close two passwords are. So strictly speaking, changing four of the characters doesn’t improve the password any more than changing just one of them. If the generator included symbols that your web site doesn’t allow, change them to characters that are allowed. What you change them to doesn’t matter.
So there you have it. Now you have a really long, really random password. If it’s 64 characters long, so what? You won’t be typing it. You probably won’t be changing it either. There’s not really any need.
Options for saving and retrieving your good passwords
Yes, I am telling you to save and retrieve your passwords. I would rather you use a password manager of some sort rather than saving them in your web browser. There are problems with saving them in a web browser. I’d rather you save them in your web browser than use passwords like password123 but using a password manager is much safer.
But I know you’re asking what if the password manager gets hacked? That is a possibility, so I’d rather you use a locally stored password manager like Keepass than an online one like 1password. But the chances of your online password manager getting hacked are much lower than the possibility of someone guessing your weak password.
How to create a good password: In conclusion
Here’s the thing about passwords, and security in general. Perfection is the enemy of good. Inevitably, when you use whataboutism to talk yourself out of good practices, the alternatives you choose almost always end up being worse.
Good practices tend to be cumulative. Yes, something can go wrong, but good practices are often good for multiple reasons, and one of those other reasons may protect you. If nothing else, if someone steals my random 64-character password but that’s all they get, it’s not very useful. That password is too expensive in terms of computer time to be worth including in a password cracking database.
Someday, that will change. But by then, the web site will allow you to create longer ones. Change the password then.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.