Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I make a secure password if I can't use special characters?

Question:

If special characters are not allowed in a password, what hints do you have
to make the most secure password?

In this excerpt from
Answercast #34
, I look at the most important technique for making a safe
password: length.

]]>

A secure password

That’s actually pretty easy. (It’s also unfortunately, fairly common. I’ve seen a number of sites that restrict your password to only letters and numbers.)

  • The answer’s pretty simple: just make your password longer.

Where you might be tempted to enter in only eight characters or perhaps ten, add a couple of more: go for twelve or fourteen or sixteen. It doesn’t have to be even numbers. Go for fifteen if you like.

Length matters

The important thing here is that:

  • Length matters more than other techniques we’ve been introduced to to make sure our passwords are strong.

It’s been theorized that an eight-character password that has completely random characters in it (including special characters) is technically less secure than, say, a ten-character or twelve-character password that has only alphanumerics in it.

So simply make your password longer.

Restricted lengths

Now, unfortunately, and I’m seeing this from time to time as well:

  • Some services don’t allow you to have an arbitrarily long password.

There’s actually no reason for that – no technical reason for that and yet some of systems have that. If you’re limited to an eight-character or ten-character password, then:

  • Maximize the length of your password to as long as that system will accept, and then

  • Make sure to use as many different kinds of characters as they do allow.

But, in general, if you can get yourself up to 12 characters, I’m actually OK with you using only alphanumeric characters.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

5 comments on “How do I make a secure password if I can't use special characters?”

  1. You touched on the obvious answer, but didn’t explicitly state it.

    USE UPPER CASE.

    Many of the recently published hacks point out that most passwords are lowercase. Simply adding a mix of upper case letters to your password significantly reduces the chance of hacks, especially if they are not first or last letters.

    Reply
  2. As explained on Steve Gibson’s site, https://www.grc.com/haystack.htm, in addition to using at least one capital and one lower case letter, periods, commas and spaces are just as effective at adding length as special characters, and length is the primary protection. 123456 is trivial. 1 2 3 4 5 6 or 1.2.3.4.5.6. are not.

    Reply
  3. Hi,
    I think that you have covered most of the issues re. passwords (apart from obvious advice such as not posting passwords over the net, not writing them down on “sticky notes” or not giving them to colleagues when you’re going on vacation).
    There’s one thing I remember from long long time ago (i.e. the age of the Commodore 64 and the likes): using backspaces in such a way that on screen the characters following those backspaces SEEMED to be overwritten. Wouldn’t that be a good idea to implement on today’s sites or incorparate in enduser programs that use password protection? Perhaps someone might even earn a buck or two for writing the code, or even better: make it available to the general public ;-)
    Of course it wouldn’t keep malicious hackers from stealing passwords nor keep users and sysadmins from continuing “bad practice”…
    Greetz,
    Pat.

    Reply
  4. Leo,

    As one of the more paranoid web users out here, I have pretty much stayed away from using my Hotmail account for anything really important because of their insistence on limiting passcodes to 16 characters. (Most of the passcodes for my other email accounts are 30+ characters.) And I’m also wary because of the frequency with which Hotmail accounts are attacked and successfully cracked (or hacked). I often think of my Hotmail account like my grandpappy’s old country house: Doors rarely locked (i.e. poor security) but no articles stolen. IOW, I feel like my Hotmail account isn’t necessarily *safe*; it’s just not (yet) targeted.

    But you’re saying that 15-16 characters can actually succeed at being a good, safe, secure passcode these days despite all the brute force capabilities and such that exist ? You’d have no worries at all with a Hotmail account with such a passcode ?

    “No” worries is a bit strong, but yes, I believe 12 characters or more is sufficient today, given that the password you choose is not obvious.

    Leo
    14-Jul-2012
    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.