Under Construction

Consider how good of a password you need to secure different things. For example, with low-risk areas, such as an online news website, you can use an easy-to-remember password—you might even use the same password for other low-risk things. For very sensitive items, such as your system administrator password or an online bank account, use a unique, hard-to-guess password for each separate area, and do not reuse it elsewhere. This way, if one password is compromised (that is, someone figures it out), your other areas are not affected.

Bad Passwords:
No single words. No pet names. Not your name. If your password can be found in the dictionary, a book of baby names, or on your facebook profile, change it now.

Most common:
At The 25 Most Popular Passwords of 2011 at Gizmodo
password (0.22 %), 123456, qwerty, abc123, monkey, 1234567, letmein, trustno1, dragon, baseball, 111111, iloveyou, master, sunshine, ashley, bailey, passw0rd, shadow, 123123, 654321, superman, qazwsx, michael, football

Good Passwords:
Don't use dictionary words

Or dictionary words with numeric substitutions e.g. "H0u$e,"

Use a long sequence of random characters. Include a mix of upper- and lowercase letters, numbers, special characters (punctuation marks).
Two unrelated words are better than 1.

Special Characters
The most frequently allowed special characters are ! $
See below:
I also use "-" because it is below the 1 on the iPhone numeric keypad
Ken Spensers likes ! $ ?
@ is also good

As far as special characters and numbers, the best combination may depend on what hardware you use.
I like ! which is above the 1 on a laptop keyboard, above the a on an android tablet and 2 rows below the 7 on an iPhone and to the right of the M on an iPad.
Where Not Allowed
@ - American Express,
! - BofA, Amex, Citi-bank
$ - BofA, GoDaddy, USPS, Cigna
? - IRS, Chase, Amex,Citi-bank,GoDaddy, eBay, Medicare, SW Airlines, Cigna
- - IRS, SocSec, Chase, Citi-bank, GoDaddy, Medicare, SW Airlines, Cigna
Special Characters Allowed
IRS !@#$%&* Social Security ! @ # $ % ^ & *
Bank of America @ # * ( ) + = { } / ? ~ ; , . - _
Chase allows ! # $ % + / = @ ~.
American Express allows %,&, _, ?, #, =, -
Citi-bank Allows _ . @ $
Costco excludes < > " . \
GoDaddy CPanel (ftp) allows ! @ # %
  GoDaddy help says !,@,#,%,~,$,& are OK but they didn't work for ftp
eBay allows ! @ # $ + * ^ ~ - (Requires 2 of everything Upper lower num special) usps.org - ( ) . & @ ? ' " # , / + !
Ericsson HR ^$+*?.|(){}[]\'~!@#%&-_=;,?/ Target allows any
Canon allows any
Verizon allows any
Humana allows only # * $ @
Medicare allows only @ ! $ % ^ * ( )
Southwest Airlines ! @ #$%^*(),.;:/\
Cigna allows _ ! . & @

iPnone Numeric keypad

1 2 3 4 5 6 7
- / : ; ( ) $
   .  ,  ?  !
Many sites require 8 characters with an upper case and lower case letters, a number and a special character.
Ken Spencers algorithm:
Use the same phrase everywhere with a two letter prefix. Capitalize the first letter.
e.g. Standard phrase Xxdoonloon!1
American Airlines: Amdoonloon!1
Amazon: Amdoonloon!1 (There aren't too many that would be duplicates)
Wells Fargo: Wedoonloon!1 (ken always uses the firt two letters for consistency).
I like Wfdoonloon!1 because It's easier for me to remember.

Your checking account is probably easier to hack into than your email — Quartz
Stupid Password Rules - Jim Pravetz 2015

Use two-factor authentication. Have them send a code to phone before login. It's simple to do for your Amazon, Facebook, Microsoft, Google and Apple accounts. I couldn't find how to set it up on either Apple or Facebook.

Other Ideas:
Some guides say use characters typed while holding down the Option key (if the site or item supports it).
This could be a problem if you use different operating systems e.g. Mac OS X and Windows which might generate different characters with the option key.

Passwords should be at least 8 characters.
The number of random combinations using upper and lower case letters:

Length  Combinations          Time *
6       19 Billion (109)      33 min
7        1 Trillion (1012)    28 hrs  
8       53 Trillion (1012)    62 days
9       2.7 Quadrillion (1015) 9 yrs
*Time to crack using a Fast PC, Dual Processor (10 Million passwords/sec - Class D)
Note: If your password is not random. i.e. uses common words or phrases,
      it will be much faster.
      See password cracking methods below:
A good general rule:
  Use 8, 9 or more characters.
  With one character from at least 3 of these groups:

   1. Uppercase letters (A-Z)
   2. Lowercase letters (a-z)
   3. Numbers (0-9)
   4. Punctuation characters (such as !, $, %, #)

Some Methods:
A. Use words or phrases with numbers and special characters substituted for letters. e.g.
1) $, S or 5 for s
2) 1, I or ! for i
3) @ or A for a
4) 7 or T for t
5) 3 or E for e
6) 9, G or 6 for g
7) 0 or O for o
8) 8 or B for b
Note: Password crackers are becoming aware of this,
so by itself it is not as good as some of the following.
B. Intermingle words: e.g. 49ers + Don 4D9oenrs

C. Use the first letter of phrases and then method A above.
To be or not to be that is the question -> Tbontbtitq -> 7b0n7B7!7? C. Other phrase tricks:
Oh me oh my! -> 0Me0meye!
got lost! -> gOt%L0st!
help for me (money) -> heLP4me$
Raindrops keep falling on my head -> rsKf0myH

What not to use:
common words or names
reversing a word,
capitalizing the last letter.

1992 Gene Spafford cracked (.pdf) 20 percent of passwords.

Password Cracking
The principle behind password cracking is quite simple: take a large word list, encrypt each word and check if the encrypted string matches the user's password. Word lists that are used frequently include English and other language dictionaries, common names, pet names, television and movie characters, character patterns on keyboards (for example, qwerty) and jargon or slang terms.

. Password Managers
A Really Good Article on How Easy it Is to Crack Passwords - Schneier on Security
Password security & protection from Better Money Habits
What's My Pass? » The Top 500 Worst Passwords of All Time - 2008
AusCERT - Choosing good passwords
Password Checker at Microsoft
Strong passwords: How to create and use them at Microsoft
Diceware Passphrase Home
Creating Good Passwords - Antionline Forums - Maximum Security for a Connected World
Choosing good passwords in Mac OS X
Password Breaking:
Breaking passwords composed of random sequences, not necessarily dictionary words, which are easier to break.

Graphical Processing Units (GPUs) are one of the most common types of hardware used by deep learning software developers. GPUs are often used in the training of AI models.

Return to Computer Security

last updated 1 Mar 2009