Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Crank Your Password Strength Up to 11!

In a world where we measure things (like speaker volume) from 0 to 10, it’s time crank your password strength up to 11. Take whatever you think a strong password might be and make it stronger.

Unfortunately, too many people still have their password strength firmly planted at zero.

Become a Patron of Ask Leo! and go ad-free!

Summary

  • An annual report of most popular passwords remains disheartening.
  • Length trumps everything.
  • Long passwords don’t have to be hard.
  • Password managers make long, strong passwords easy to deal with.
  • Take the time to replace your weak passwords.

And the most popular password is….

Turn it up to 11
On a scale of 0 to 10, take your password strength to 11.

Splashdata recently released its report of the 100 most common passwords. Analyzing over five million hacked and leaked databases of passwords, they tallied up the most popularly used passwords, and the result is … depressing.

The top five include:

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345

The rest of the list is more diverse but just as obvious, including passwords like “iloveyou”, “qwerty”, “charlie”, “donald”, and many more horrific choices.

Not only are they simple, easy to guess, and clearly on the list of the very first passwords hackers try, but they also suffer from the greatest sin of all, in my opinion.

They’re short.

Length matters

When it comes to passwords, length trumps everything. For example, let’s take that #1 offender above:

123456

A six-character password. Ugh. But adding a simple pattern to turn it into a 20-character password makes it a pretty reasonable choice:

****** 123456 ******

All I did was add six asterisks before and after, separated by a space. And yes, as simple as that pattern appears to be, it’s a strong password. Much stronger than 123456, and just as easy to remember. (Caveat: it’s a weaker password in that it’s been published here as an example. Don’t use this exact password; use it as an example of a simple technique to lengthen otherwise poor passwords.)

Again, length trumps everything.

Long doesn’t mean hard

I’ll admit that throwing asterisks before and after a password doesn’t feel secure, even though it is. It just doesn’t feel like we did enough work. (Smile)

But, to build on perhaps the most quoted XKCD comic of all time — Correct Horse Battery Staple1 — combining unrelated words can be both strong and memorable.

I recently set up an account for a friend and did exactly that. When it came time to generate a password, I looked around my desk, picked three random items I saw, combined them with a fourth item this friend and I had in common, and — poof — a password that was long, strong, and easy to remember.

To repeat my exercise, here’s another:

SpeakerCoffeeMixerFacebook

That’s a 26-character password. If you need special characters, add spaces, or an exclamation point in what for you might be a “standard” location, like at the end or after the first word.

Password managers make it even easier

As easy as that password is to create, and as memorable as it may be, if you have a lot of different passwords (and who doesn’t), it can still be difficult to keep ’em all straight. Enter the password manager, which remembers them for you. That way, you need remember only one password — presumably also of the long and memorable variety — and the password manager does the rest.

Because I use a password manager (LastPass), I don’t bother combining words for the majority of my passwords. I go all-in and let the secure password generator do the trick. For example, most of my passwords look like this:

xMpba3HxDFvKk73mrAfA

That’s 20 characters of completely random alpha-numeric data. If I need a special character, I’ll throw one in somewhere, making it a 21-character password.

I couldn’t tell you most of my passwords. Not from memory, anyway.

Just do it

I talk about passwords and password strength a lot because, like it or not, passwords are here to stay. They’ll continue to be an important part of your online and account security for the foreseeable future. Even adding two-factor authentication — as you should, if it’s offered — you’re still relying on the strength of your password as your first line of defense.

Review your passwords and replace short ones with something longer and more secure.

And if you’re using anything on this list, don’t delay a moment longer. Go change that password now.

Podcast audio

Play

Video Narration

Footnotes & references

1: Which I did not have to look up — it’s that memorable.

44 comments on “Crank Your Password Strength Up to 11!”

  1. One of the reasons that I would use a password like 1 2 3 4 5 6 is it because it’s some website or something that I’m never ever going to use again. It’s easier just to use a password like that to be able to get to the next step on a webpage.

    Passwords are an archaic form of security. Ther are better things to use it’s just that they are cheap form of security

    • As long as you don’t mind someday perhaps being impersonated on that website you’ll never use again, or having whatever other information you left there compromised, than by all means, use 123456. It’s my belief, however, that even on these throw-away sites having the account compromised someday will have ramifications you’d probably prefer to avoid.

      And while I agree passwords are archaic, for many, many, MANY sites, they’re all we have. Making sure they’re appropriately secure remains very important.

    • Well, if the password is «1 2 3 4 5 6» with all the spaces, then, it’s much more secure than plain «123456» as it goes from 6 characters up to 11 not all numeric. But, in my opinion, it’s still to short.
      «1 2 3 4 5 6 € 1 2 3 4 5 6» is way better at 25 characters, with a symbol as a bonus.

          • I’ve just had to generate a password on a site with an online shop, and they do not allow special characters (not that i regard # as particularly special, but still – it’s not even a ‘shift’ character).
            Sites also need to work harder on their error messages too, where passwords are simply rejected without any explanation why.

  2. I always enjoy and learn from your password articles. thanks. and i wonder why people just fight against using password managers. lastpass or password safe are free and about the best i have ever tried….no limits and sooo easy to use and also portable..

    • If you use (Last Pass), are you on a paid membership or free. I also use it (Free) and no support available.
      Thanks,
      Jim

  3. I used to have a bank that only allowed a 4 number password and no special characters! Wow! I wouldn’t use their online services. Glad they have changed their ways.

  4. A trusted password manager sounds great in the context of a secured private wifi. What if I must log in on a public wifi somewhere and rely on a password manager because my passwords are gibberish. Am I essentially not giving criminals my wallet by doing so?

    • NOT AT ALL. Password managers mostly store their data on your hard disk, and when they do update over the internet their connections are all encrypted. Make sure you’re using the hotspot safely in general (https connections, etc.) and it’s fine. I do it all the time.

  5. I have heard that some site use a “hash” of the password in place of the password. The hash is short and derived from the password, making it easier for the site. Since a list of all possible hashes is also short, it would seem to be a weak point against hacking. Is this still done?

    • It’s considered best practice. That way the service doesn’t store your actual password, and in fact have no way to tell you what your password is. Hashes are not short — often they;re longer than the password. But selecting a good hashing algorithm (it’s a mathematical function) is one of the most important parts when services designed or set up their security.

    • Hashes of short passwords can be cracked using rainbow tables, tables generated by hashing every possible combination of characters. Those can be defeated by very long passwords, making the list too long to fit in a usable file. Websites can defeat those attacks by “salting” the hash, adding information in addition to the password when creating the hash.

  6. Here’s my estimate of expected time needed to find a password chosen from 90 different characters (alphabet, numbers, specials) at 100,000 tries per second, picking at random without duplication, i.e. expect to find the password in half the possibilities.
    It appears the problem with length 6 is that they are easily guessed.

    # characters # possible Seconds to # days
    in password passwords crack to crack
    1 90 0.00045
    2 8100 0.0405
    3 729000 3.65
    4 65610000 328
    5 5904900000 29,525 0.34
    6 5.31441E+11 2,657,205 31
    7 4.78297E+13 239,148,450 2768
    8 4.30467E+15 21523360500 249,113
    9 3.8742E+17 1.9371E+12 22,420,167
    10 3.48678E+19 1.74339E+14 2,017,815,047
    11 3.13811E+21 1.56905E+16 1.81603E+11

  7. What do you think about using first letter of songs, phrases, hymns,various well know sayings, etc.. Much easier to remember on the ocassion your not on your personal pc.

  8. Not often mentioned is the user name. Does using your email address for the user name creates a starting point for potential hacking? Worse yet, if your password is discovered can a potential hacker use your email address at popular web sites like Amazon to begin their dastardly work?

    • It’s less important, but yes … your username is, in a sense, also part of your security information. And, indeed, once hackers know your email address and password they’ll go trying that on other popular services to see if you have accounts there that use the same credentials.

  9. Use of actual words does make hacking a bit easier as one method hackers will try is a dictionary attack where the hacking software is on the lookout for actual words. So, not using actual words (at least not in the whole password) makes dictionary attacks much less likely to be successful.

    • That’s been the conventional thought, but as it turns out a) there are a lot more words than letters, and b) words make it easier to remember which in turn leads to c) words make it much easier to have a long password. And length trumps almost everything.

  10. Before password managers, the company I worked with used a password algorithm. Here is how it worked. Start with a first name. Mine is BRUCE. Interlace parts of your birth date. Mine is 03081941. So, the password becomes: b0r3u0c8e1. It had to be 12 or more characters. Adding “@” at the beginning or end made it: @b0r3u0c8e1@. The last letter was always capitalized. Now we have @b0r3u0c8E1@. That password would slow down most amateurs and cause most professionals to look for a different opportunity. The source was two simple data items that you could always remember.

  11. I hate passwords and long for the day when we get something better but probably won’t happen in my lifetime. For years I’ve used 2 password managers, Keepass and Lastpass.

    Started out long ago with Keepass which is open source and free, I use the portable version so it does not even have to be installed. Stores passwords in an encrypted database and I keep a copy it in my Onedrive account so it can be accessed from my other devices. Only have to remember one password (for it) and can also use a key file for added security. Also has a good password generator.

    I use Lastpass most of the time since it automatically fills in passwords but it just does not work well on some sites. Rather than ding around with it trying to figure out why I just keep a duplicate of all passwords in Keepass too and use it for manual entry with copy and paste in these cases. Also store the password for Lastpass in it so the only password I have to remember is for Keepass.

  12. What do you think of Dashlane as a password manager? It appears to be free at the moment, but if I have to pay for one, you would prefer LastPass, right?

    • I’ve never used Dashlane but I’ve heard it’s from a reputable company. I use LastPass free and it does all I need. I’ve used the paid version but that was mainly because I like to give something to software developers to help continue to develop their product and not go hungry in the process.

  13. I know passwords that are long and complex are great. I do not always use the same computer so do not have a password manager often. Is there a work around? So I often use an easier password although they are definitely more secure than 123456.

    • LastPass has a web interface version where you log into your LastPass account and log in to websites from there.

  14. One problem with PW managers is they don’t work with many sites. In fact I am seeing more none working sites over the past year as security increases. Currently I am running 2 different managers because one may or may not work. Also they make it pia to copy the user name/password for cur and paste if the web site allow it. So it is tempting to use simple (but long) passwords

  15. I go the easy route for making my passwords. I simply randomly press heaps of keys, usually up to around 20 – 25 characters, then copy and paste to a dedicated file with whatever details needed to access a particular site.
    That file is only on 2, (ones a backup), small ext. drives that are only plugged in as required.

  16. One thing that has bugged me ever since the days of smartphones is places that insist on having special characters in the password, and on a phone keyboard, that’s usually a royal pain. As Leo says, it’s better to type in a long string of characters than a short string with caps, nums and specs!

    • I have the same beef, but if you have to use a special character, some might accept a period or a comma which are on the keyboard, otherwise, a long press will bring up all common special characters.

      • A special character is anything which is nor a letter or a number (alphanumeric). Which characters are allowed in passwords is entirely up to the creator of the website or program asking for a password. There is no rule defining what is or isn’t a special character. (Although I have friends who are definitely “special characters”)

  17. Use a formula that you can remember easily, such as a simple word followed by several letters of the web address IN CAPS followed by the simple word plus your former zipcode or someone else’s zipcode . . . For Facebook tryFACtry75039
    NOTE: In Google Chrome, active passwords are stored in chrome://settings/passwords . . . HOWEVER, it will only store 14 to 16 characters, so going beyond that will not be visible. To make passwords visible, guess what, you have to enter an e-mail address and a password. Good luck.

  18. Some sites go so far as forbidding passwords over a certain length but I have used a pass phrase [ eg: song lyrics ] for decades and never had a hack 🙂 like a string, no spaces – example ” andhernamewascomadina” thats 21 place strength and I doubt anyone is gong to break that is a hurry then again I hate sites that insist on special characters and numbers somewhere in the password

  19. I take passwords seriously, and it can try my wife nuts, but I digress.

    I have a password manager and another location for the passwords as a backup. The filename is completely unrelated, and I won’t say the type of document it is. The password manager has a somewhat secure password, but I think it’s time for that to change. All passwords generated, regardless of the site used, are completely random with a length greater than 12. If necessary, I tell the password generator to add a special character, although they make the password more secure. When the password is stored in the backup file, I put minimal information to let me know how to log in to the site. I use certain usernames, so I’ll shorten the username to the first letter of the word, an underscore if there, and then the first letter of the second word. This way, people that may access the file, which is only stored on one computer, they will have difficulty finding the information needed to log on. Another way is to put the password somewhere with no information on where it goes. The downside is remembering where the password goes.

    Leo makes a great suggestion to use random words. I use two words, separated by a space, and then tweak the spelling of one or both words. A number gets added somewhere to make it more difficult. Using more than two words is a great idea but make sure they are words that people couldn’t guess easily. The downside of tweaking the spelling means remembering how they were tweaked, so if it’s difficult to remember how they were tweaked, don’t tweak them.

    Fortunately, my laptop has a great password that hasn’t changed since I created the account. I’ve typed that so many times that I have it memorized. When you use the same passwords multiple times, you’ll eventually memorize it.

    Lots of people don’t take password generation seriously and then get upset when someone hacks their account. If they would realize that hacking occurs because of bad passwords, which are either easy to guess or can be hacked in seconds.

    • I have a backup of my passwords on my computer. I encrypt it with 7Zip and use the same password that I use for LastPass. I don’t think that violates the different password for everything rule as that file is not accessible on the internet and has an obscure name. I type my LastPass password at least once a day so it’s embedded in my mind and muscle memory. As for the number substitution, I use the same numbers to replace the same letters so that’s also embedded in my memory.

  20. I apologize if this is too elementary, but I use OnePass (recommended here in the past) . When many of the responders say they back up their passwords on their computer in a separate file even though they are using a password manager, are they entering each password manually? Is there some shortcut around this

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.