Under Construction

Consider how good of a password you need to secure different things. For example, with low-risk areas, such as an online news website, you can use an easy-to-remember password—you might even use the same password for other low-risk things. For very sensitive items, such as your system administrator password or an online bank account, use a unique, hard-to-guess password for each separate area, and do not reuse it elsewhere. This way, if one password is compromised (that is, someone figures it out), your other areas are not affected.

Bad Passwords:
No single words. No pet names. Not your name. If your password can be found in the dictionary, a book of baby names, or on your facebook profile, change it now.

Most common:
At The 25 Most Popular Passwords of 2011 at Gizmodo
password (0.22 %), 123456, qwerty, abc123, monkey, 1234567, letmein, trustno1, dragon, baseball, 111111, iloveyou, master, sunshine, ashley, bailey, passw0rd, shadow, 123123, 654321, superman, qazwsx, michael, football

Good Passwords:
Don't use dictionary words

Or dictionary words with numeric substitutions e.g. "H0u$e,"

Use a long sequence of random characters. Include a mix of upper- and lowercase letters, numbers, special characters (punctuation marks).
I was using "-" (minus sign / hyphen / dash) as a special character but one account didn't accept it.
So now using $
The best Special Characters (appear on iPhone numeric keyboard and aren't excluded anywhere I could find) are:
None
iPhone numeric keyboard - / : ; ( ) $ & @ ". , ? ! '
Social Security ! @ # $ % ^ & *
Bank of America @ # * ( ) + = { } / ? ~ ; , . - _
Chase allows ! # $ % + / = @ ~.
American Express allows %,&, _, ?, #, =, -
Citi-bank Allows _ . @ $
Costco excludes < > " . \
GoDaddy CPanel (ftp) allows ! @ # %
  GoDaddy help says !,@,#,%,~,$,& are OK but they didn't work for ftp
eBay allows ! @ # $ + * ^ ~ - (Requires 2 of everything Upper lower num special) usps.org - ( ) . & @ ? ' " # , / + !
Target allows any
Canon allows any
Verizon allows any
Costco does not allow < > " \ .
Humana allows only # * $ @ See:
Your checking account is probably easier to hack into than your email — Quartz
Stupid Password Rules - Jim Pravetz 2015

Use two-factor authentication. Have them send a code to phone before login. It's simple to do for your Amazon, Facebook, Microsoft, Google and Apple accounts. I couldn't find how to set it up on either Apple or Facebook.

Other Ideas:
Some guides say use characters typed while holding down the Option key (if the site or item supports it).
This could be a problem if you use different operating systems e.g. Mac OS X and Windows which might generate different characters with the option key.

Passwords should be at least 8 characters.
The number of random combinations using upper and lower case letters:

Length  Combinations          Time *
6       19 Billion (109)      33 min
7        1 Trillion (1012)    28 hrs  
8       53 Trillion (1012)    62 days
9       2.7 Quadrillion (1015) 9 yrs
*Time to crack using a Fast PC, Dual Processor (10 Million passwords/sec - Class D)
Note: If your password is not random. i.e. uses common words or phrases,
      it will be much faster.
      See password cracking methods below:
      
A good general rule:
  Use 8, 9 or more characters.
  With one character from at least 3 of these groups:

   1. Uppercase letters (A-Z)
   2. Lowercase letters (a-z)
   3. Numbers (0-9)
   4. Punctuation characters (such as !, $, %, #)

Some Methods:
A. Use words or phrases with numbers and special characters substituted for letters. e.g.
1) $, S or 5 for s
2) 1, I or ! for i
3) @ or A for a
4) 7 or T for t
5) 3 or E for e
6) 9, G or 6 for g
7) 0 or O for o
8) 8 or B for b
Note: Password crackers are becoming aware of this,
so by itself it is not as good as some of the following.
B. Intermingle words: e.g. 49ers + Don 4D9oenrs

C. Use the first letter of phrases and then method A above.
To be or not to be that is the question -> Tbontbtitq -> 7b0n7B7!7? C. Other phrase tricks:
Oh me oh my! -> 0Me0meye!
got lost! -> gOt%L0st!
help for me (money) -> heLP4me$
Raindrops keep falling on my head -> rsKf0myH

What not to use:
common words or names
reversing a word,
capitalizing the last letter.

1992 Gene Spafford cracked (.pdf) 20 percent of passwords.

Password Cracking
The principle behind password cracking is quite simple: take a large word list, encrypt each word and check if the encrypted string matches the user's password. Word lists that are used frequently include English and other language dictionaries, common names, pet names, television and movie characters, character patterns on keyboards (for example, qwerty) and jargon or slang terms.

Links:
Password Managers
A Really Good Article on How Easy it Is to Crack Passwords - Schneier on Security
Password security & protection from Better Money Habits
What's My Pass? » The Top 500 Worst Passwords of All Time - 2008
AusCERT - Choosing good passwords
Password Checker at Microsoft
Strong passwords: How to create and use them at Microsoft
Diceware Passphrase Home
Creating Good Passwords - Antionline Forums - Maximum Security for a Connected World
Choosing good passwords in Mac OS X


Return to Computer Security

last updated 1 Mar 2009