In a world where we measure things (like speaker volume) from 0 to 10, it’s time crank your password strength up to 11. Take whatever you think a strong password might be and make it stronger.
Unfortunately, too many people still have their password strength firmly planted at zero.
Become a Patron of Ask Leo! and go ad-free!
- An annual report of most popular passwords remains disheartening.
- Length trumps everything.
- Long passwords don’t have to be hard.
- Password managers make long, strong passwords easy to deal with.
- Take the time to replace your weak passwords.
And the most popular password is….
Splashdata recently released its report of the 100 most common passwords. Analyzing over five million hacked and leaked databases of passwords, they tallied up the most popularly used passwords, and the result is … depressing.
The top five include:
- 123456
- password
- 123456789
- 12345678
- 12345
The rest of the list is more diverse but just as obvious, including passwords like “iloveyou”, “qwerty”, “charlie”, “donald”, and many more horrific choices.
Not only are they simple, easy to guess, and clearly on the list of the very first passwords hackers try, but they also suffer from the greatest sin of all, in my opinion.
They’re short.
Length matters
When it comes to passwords, length trumps everything. For example, let’s take that #1 offender above:
123456
A six-character password. Ugh. But adding a simple pattern to turn it into a 20-character password makes it a pretty reasonable choice:
****** 123456 ******
All I did was add six asterisks before and after, separated by a space. And yes, as simple as that pattern appears to be, it’s a strong password. Much stronger than 123456, and just as easy to remember. (Caveat: it’s a weaker password in that it’s been published here as an example. Don’t use this exact password; use it as an example of a simple technique to lengthen otherwise poor passwords.)
Again, length trumps everything.
Long doesn’t mean hard
I’ll admit that throwing asterisks before and after a password doesn’t feel secure, even though it is. It just doesn’t feel like we did enough work. 
But, to build on perhaps the most quoted XKCD comic of all time — Correct Horse Battery Staple1 — combining unrelated words can be both strong and memorable.
I recently set up an account for a friend and did exactly that. When it came time to generate a password, I looked around my desk, picked three random items I saw, combined them with a fourth item this friend and I had in common, and — poof — a password that was long, strong, and easy to remember.
To repeat my exercise, here’s another:
SpeakerCoffeeMixerFacebook
That’s a 26-character password. If you need special characters, add spaces, or an exclamation point in what for you might be a “standard” location, like at the end or after the first word.
Password managers make it even easier
As easy as that password is to create, and as memorable as it may be, if you have a lot of different passwords (and who doesn’t), it can still be difficult to keep ’em all straight. Enter the password manager, which remembers them for you. That way, you need remember only one password — presumably also of the long and memorable variety — and the password manager does the rest.
Because I use a password manager (LastPass), I don’t bother combining words for the majority of my passwords. I go all-in and let the secure password generator do the trick. For example, most of my passwords look like this:
xMpba3HxDFvKk73mrAfA
That’s 20 characters of completely random alpha-numeric data. If I need a special character, I’ll throw one in somewhere, making it a 21-character password.
I couldn’t tell you most of my passwords. Not from memory, anyway.
Just do it
I talk about passwords and password strength a lot because, like it or not, passwords are here to stay. They’ll continue to be an important part of your online and account security for the foreseeable future. Even adding two-factor authentication — as you should, if it’s offered — you’re still relying on the strength of your password as your first line of defense.
Review your passwords and replace short ones with something longer and more secure.
And if you’re using anything on this list, don’t delay a moment longer. Go change that password now.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Video Narration
One of the reasons that I would use a password like 1 2 3 4 5 6 is it because it’s some website or something that I’m never ever going to use again. It’s easier just to use a password like that to be able to get to the next step on a webpage.
Passwords are an archaic form of security. Ther are better things to use it’s just that they are cheap form of security
As long as you don’t mind someday perhaps being impersonated on that website you’ll never use again, or having whatever other information you left there compromised, than by all means, use 123456. It’s my belief, however, that even on these throw-away sites having the account compromised someday will have ramifications you’d probably prefer to avoid.
And while I agree passwords are archaic, for many, many, MANY sites, they’re all we have. Making sure they’re appropriately secure remains very important.
Well, if the password is «1 2 3 4 5 6» with all the spaces, then, it’s much more secure than plain «123456» as it goes from 6 characters up to 11 not all numeric. But, in my opinion, it’s still to short.
«1 2 3 4 5 6 € 1 2 3 4 5 6» is way better at 25 characters, with a symbol as a bonus.
Many websites don’t allow spaces in passwords.
…And not all of them allow special characters, either!
Sadly and strangely true 🙁
I’ve just had to generate a password on a site with an online shop, and they do not allow special characters (not that i regard # as particularly special, but still – it’s not even a ‘shift’ character).
Sites also need to work harder on their error messages too, where passwords are simply rejected without any explanation why.
I always enjoy and learn from your password articles. thanks. and i wonder why people just fight against using password managers. lastpass or password safe are free and about the best i have ever tried….no limits and sooo easy to use and also portable..
Second you Leo. (LastPass) is one of the best password managers indeed. I’m using it for years now without hassles.
If you use (Last Pass), are you on a paid membership or free. I also use it (Free) and no support available.
Thanks,
Jim
I used to have a bank that only allowed a 4 number password and no special characters! Wow! I wouldn’t use their online services. Glad they have changed their ways.
A trusted password manager sounds great in the context of a secured private wifi. What if I must log in on a public wifi somewhere and rely on a password manager because my passwords are gibberish. Am I essentially not giving criminals my wallet by doing so?
NOT AT ALL. Password managers mostly store their data on your hard disk, and when they do update over the internet their connections are all encrypted. Make sure you’re using the hotspot safely in general (https connections, etc.) and it’s fine. I do it all the time.
I have heard that some site use a “hash” of the password in place of the password. The hash is short and derived from the password, making it easier for the site. Since a list of all possible hashes is also short, it would seem to be a weak point against hacking. Is this still done?
Hashes of short passwords can be cracked using rainbow tables, tables generated by hashing every possible combination of characters. Those can be defeated by very long passwords, making the list too long to fit in a usable file. Websites can defeat those attacks by “salting” the hash, adding information in addition to the password when creating the hash.
It’s considered best practice. That way the service doesn’t store your actual password, and in fact have no way to tell you what your password is. Hashes are not short — often they;re longer than the password. But selecting a good hashing algorithm (it’s a mathematical function) is one of the most important parts when services designed or set up their security.
Storing the hash of entered passwords is only secure (and “best practice”) if the hashes have been salted. If they haven’t been salted, they’re vulnerable to a rainbow table attack.
True.
My solution would have been l0ngl1veth32u33n 😉
Rainbow table attacks are only effective against common passwords, passwords that have already been compromised, or passwords that match password guesses that have already been hashed. They use precomputed hashes, so the work has already been done. If your own password is long, strong, unique, and not already compromised, rainbow tables will completely miss your password.
I’m not saying that salting hashes is a bad idea, but it’s mostly to make rainbow table attacks harder. If your password is not vulnerable to a rainbow table attack, then salting its hash is superfluous. If your password is vulnerable to a rainbow table attack, then you should change it.
If the salt is long and strong it offers similar protection against a rainbow table or brute force attack as if you had used a password of that combined length. As if I added cyfTlt91iagIab99dykTyt03 to every password 🙂
Here’s my estimate of expected time needed to find a password chosen from 90 different characters (alphabet, numbers, specials) at 100,000 tries per second, picking at random without duplication, i.e. expect to find the password in half the possibilities.
It appears the problem with length 6 is that they are easily guessed.
# characters # possible Seconds to # days
in password passwords crack to crack
1 90 0.00045
2 8100 0.0405
3 729000 3.65
4 65610000 328
5 5904900000 29,525 0.34
6 5.31441E+11 2,657,205 31
7 4.78297E+13 239,148,450 2768
8 4.30467E+15 21523360500 249,113
9 3.8742E+17 1.9371E+12 22,420,167
10 3.48678E+19 1.74339E+14 2,017,815,047
11 3.13811E+21 1.56905E+16 1.81603E+11
Sorry for the wacky alignment in my table. Website vs editor…
What do you think about using first letter of songs, phrases, hymns,various well know sayings, etc.. Much easier to remember on the ocassion your not on your personal pc.
Just make it long.
I use an approach similar to this. Here’s my advice:
1. If you plan on using the first letter of song lyrics, then be sure you are only using a small part of the song, and incorporate 2 or 3 songs (preferably from 2 or 3 different artists) into your password. An example might look like this: cyftltiagiabdyktyt.
2. Construct the password in an intuitively memorable order. Chronological works well, as does alphabetical. Also, if you decide to mix capital letters with lower case, maybe you want to be sure you remember which letters you capitalized, so have a memorable method for that, like perhaps every fourth letter of each song: cyfTltiagIabdykTyt. Be consistent, so there’s less to screw up later.
3. Obviously, longer is better. It’s not difficult to turn 3 songs into an 18-24 character password, especially if you throw some numbers in the password, too: cyfTlt91iagIab99dykTyt03.
Special thanks to Elton John, Christina Aguilera, and Britney Spears.
Whoever would have thought that those three would be a) mentioned in the same sentence, b) about computer security.
Not often mentioned is the user name. Does using your email address for the user name creates a starting point for potential hacking? Worse yet, if your password is discovered can a potential hacker use your email address at popular web sites like Amazon to begin their dastardly work?
It’s less important, but yes … your username is, in a sense, also part of your security information. And, indeed, once hackers know your email address and password they’ll go trying that on other popular services to see if you have accounts there that use the same credentials.
Use of actual words does make hacking a bit easier as one method hackers will try is a dictionary attack where the hacking software is on the lookout for actual words. So, not using actual words (at least not in the whole password) makes dictionary attacks much less likely to be successful.
That’s been the conventional thought, but as it turns out a) there are a lot more words than letters, and b) words make it easier to remember which in turn leads to c) words make it much easier to have a long password. And length trumps almost everything.
ALWAYS use respelling in your passwords/passphrases! In other words, instead of Long Live The Queen, instead use Lawng Lihv Duh Kwean.
Using normal words in a password merely invites a brute-force dictionary attack.
If the password is long enough (and I’d claim that 4 words ~20 characters is long enough today), then what would be a literal dictionary attack remains infeasible. There are many more words than, say, letters.
If you restrict yourself to only the most common words, that’s a pool of about 1500 words.
My «pocket» dictionary lists about 24000 words and idioms.
If you take only 4 of the most common English words as a passphrase, that’s 1500^4, or 5 062 500 000 000 total passphrases.
If you take any 4 from that source, that’s 331 776 000 000 000 000 different passphrases. Add a fifth word and you have 24000 times more passphrases !
Whoever is trying to crack that don’t know the length, if there are spaces, your source of words, that you even used actual words at all, if you ever use any alternative spelling of character substitution, what language you used.
If your passphrase is 3 or more words long, a dictionary attack is no longer practical.
Before password managers, the company I worked with used a password algorithm. Here is how it worked. Start with a first name. Mine is BRUCE. Interlace parts of your birth date. Mine is 03081941. So, the password becomes: b0r3u0c8e1. It had to be 12 or more characters. Adding “@” at the beginning or end made it: @b0r3u0c8e1@. The last letter was always capitalized. Now we have @b0r3u0c8E1@. That password would slow down most amateurs and cause most professionals to look for a different opportunity. The source was two simple data items that you could always remember.
I find it useful to use words from an obscure language.
I hate passwords and long for the day when we get something better but probably won’t happen in my lifetime. For years I’ve used 2 password managers, Keepass and Lastpass.
Started out long ago with Keepass which is open source and free, I use the portable version so it does not even have to be installed. Stores passwords in an encrypted database and I keep a copy it in my Onedrive account so it can be accessed from my other devices. Only have to remember one password (for it) and can also use a key file for added security. Also has a good password generator.
I use Lastpass most of the time since it automatically fills in passwords but it just does not work well on some sites. Rather than ding around with it trying to figure out why I just keep a duplicate of all passwords in Keepass too and use it for manual entry with copy and paste in these cases. Also store the password for Lastpass in it so the only password I have to remember is for Keepass.
What do you think of Dashlane as a password manager? It appears to be free at the moment, but if I have to pay for one, you would prefer LastPass, right?
I’ve never used Dashlane but I’ve heard it’s from a reputable company. I use LastPass free and it does all I need. I’ve used the paid version but that was mainly because I like to give something to software developers to help continue to develop their product and not go hungry in the process.
I did use Dashlane, but fount it to aggressively «helpfull» at times, as it insist at auto-clicking the login button after filling the user name and password. It made the process of changing a password quite painful.
Also, it often tended to peg my CPU at over 90% for HOURS.
Switched to LastPass and greatly appreciate it.
I know passwords that are long and complex are great. I do not always use the same computer so do not have a password manager often. Is there a work around? So I often use an easier password although they are definitely more secure than 123456.
LastPass has a web interface version where you log into your LastPass account and log in to websites from there.
One problem with PW managers is they don’t work with many sites. In fact I am seeing more none working sites over the past year as security increases. Currently I am running 2 different managers because one may or may not work. Also they make it pia to copy the user name/password for cur and paste if the web site allow it. So it is tempting to use simple (but long) passwords
I go the easy route for making my passwords. I simply randomly press heaps of keys, usually up to around 20 – 25 characters, then copy and paste to a dedicated file with whatever details needed to access a particular site.
That file is only on 2, (ones a backup), small ext. drives that are only plugged in as required.
One thing that has bugged me ever since the days of smartphones is places that insist on having special characters in the password, and on a phone keyboard, that’s usually a royal pain. As Leo says, it’s better to type in a long string of characters than a short string with caps, nums and specs!
I have the same beef, but if you have to use a special character, some might accept a period or a comma which are on the keyboard, otherwise, a long press will bring up all common special characters.
As I just found out, # is a ‘special’ character as it was rejected in one of my passwords…
A special character is anything which is nor a letter or a number (alphanumeric). Which characters are allowed in passwords is entirely up to the creator of the website or program asking for a password. There is no rule defining what is or isn’t a special character. (Although I have friends who are definitely “special characters”)
Mark:
A distinction is usually drawn between a punctuation mark and a special symbol.
The difference is that a punctuation mark is commonly encountered within ordinary sentences — ” ‘ : ; and – are all examples of punctuation marks.
By contrast, special symbols are not commonly used in sentences (they are used, but not commonly). These include @ # $ % &, and so forth.
I’ve never seen a password requirement that spelled out the difference. All have been “special characters”. What’s more frustrating is that no two sites list of allowed “special characters” seems to be the same.
I have several passwords using punctuation as special characters. I’ve never used periods or commas, but I’ve used question marks, exclamation marks, hyphens, parentheses, and apostrophes. I’ve never once had a password rejected for any of those as a special character. A special character is anything which isn’t a letter or a number although, there may be some isolated login password requirements which are pickier.
I’ve found that é è ê à â î ç … are special characters, at least according to some sites. They are regular characters in French! And ñ is a regular Spanish one.
I would imagine they considered special characters by all websites and programs which require special characters.
Use a formula that you can remember easily, such as a simple word followed by several letters of the web address IN CAPS followed by the simple word plus your former zipcode or someone else’s zipcode . . . For Facebook tryFACtry75039
NOTE: In Google Chrome, active passwords are stored in chrome://settings/passwords . . . HOWEVER, it will only store 14 to 16 characters, so going beyond that will not be visible. To make passwords visible, guess what, you have to enter an e-mail address and a password. Good luck.
Some sites go so far as forbidding passwords over a certain length but I have used a pass phrase [ eg: song lyrics ] for decades and never had a hack 🙂 like a string, no spaces – example ” andhernamewascomadina” thats 21 place strength and I doubt anyone is gong to break that is a hurry then again I hate sites that insist on special characters and numbers somewhere in the password
I take passwords seriously, and it can try my wife nuts, but I digress.
I have a password manager and another location for the passwords as a backup. The filename is completely unrelated, and I won’t say the type of document it is. The password manager has a somewhat secure password, but I think it’s time for that to change. All passwords generated, regardless of the site used, are completely random with a length greater than 12. If necessary, I tell the password generator to add a special character, although they make the password more secure. When the password is stored in the backup file, I put minimal information to let me know how to log in to the site. I use certain usernames, so I’ll shorten the username to the first letter of the word, an underscore if there, and then the first letter of the second word. This way, people that may access the file, which is only stored on one computer, they will have difficulty finding the information needed to log on. Another way is to put the password somewhere with no information on where it goes. The downside is remembering where the password goes.
Leo makes a great suggestion to use random words. I use two words, separated by a space, and then tweak the spelling of one or both words. A number gets added somewhere to make it more difficult. Using more than two words is a great idea but make sure they are words that people couldn’t guess easily. The downside of tweaking the spelling means remembering how they were tweaked, so if it’s difficult to remember how they were tweaked, don’t tweak them.
Fortunately, my laptop has a great password that hasn’t changed since I created the account. I’ve typed that so many times that I have it memorized. When you use the same passwords multiple times, you’ll eventually memorize it.
Lots of people don’t take password generation seriously and then get upset when someone hacks their account. If they would realize that hacking occurs because of bad passwords, which are either easy to guess or can be hacked in seconds.
I have a backup of my passwords on my computer. I encrypt it with 7Zip and use the same password that I use for LastPass. I don’t think that violates the different password for everything rule as that file is not accessible on the internet and has an obscure name. I type my LastPass password at least once a day so it’s embedded in my mind and muscle memory. As for the number substitution, I use the same numbers to replace the same letters so that’s also embedded in my memory.
I apologize if this is too elementary, but I use OnePass (recommended here in the past) . When many of the responders say they back up their passwords on their computer in a separate file even though they are using a password manager, are they entering each password manually? Is there some shortcut around this
I don’t understand your question. I’ve recommended Lastpass, which will fill in fields for you.
If you mean LastPass, this article explains how to back it up:
How Do I Back Up LastPass?
When the CompuServe Information Service still existed (technically, it still does — but its owner, AOL has eliminated all of the forums, reducing CIS to rubble) their password scheme was two unrelated words separated by a special symbol. This lead to many highly creative — and FUN! — passwords. My favorite (no longer in use) was Sanhedrin%Forklift.
A more unrelated pair of words would be very hard to come by!!! 🙂
How secure are passwords stored in Safari and the Apple Keychain. Apple seems to be making it more difficult to use a password manager with Safari.
As far as I know Lastpass cannot be used in Mojave Safari and I have heard that 1Password is not compatible with Safari in Catalina.
This may be mainly a website for Windows users but I really like this website. I use both Apple and Windows computers.
I have no experience with Keychain. I use LastPass with Safari on my Mojave 10.14.6 OS. If you have an older Mac OS which doesn’t support LastPass with Safari, then you can install Chrome, Firefox, or even Opera. I have them all installed on my Mac.
My current approach is …
1. All passwords are 25-30 characters and a mixture of numbers, upper & lower case letters and special characters.
2. They are all stored in LastPass.
3. They are also kept in a plain text file encrypted by VeraCrypt.
4. Additionally, I use whatever 2FA method is offered, my favourite being Google or Microsoft authenticator.
The only 2 passwords I need to remember are the ones that control access to LastPass and VeraCrypt. Admittedly, that is a potential problem. I’ve been thinking about various ways to further lock that down.
I’d at least keep the password for LastPass in VeraCrypt, and the password for VeraCrypt in LastPass.