Ask Leo!

Technology With Confidence

How Do I Choose a Good Password?

Password security has never been more important. With occasional security breaches at service providers and rampant email account theft, make sure you're choosing and using secure passwords.

We frequently hear of major websites suffering data breaches that expose millions of user accounts and passwords to hackers.

This type of theft makes the concept of “good passwords” all that much more important to understand.

Become a Patron of Ask Leo! and go ad-free!

Moving target

What makes a password good constantly changes, perhaps in ways you wouldn’t expect.

To understand what makes a good password, we need to understand what makes passwords vulnerable, which means understanding a couple of the ways hackers hack.

Along the way, I’ll also discuss “hashes” and why a “salted hash” isn’t breakfast food, but rather a critically important approach websites should be using to keep track of your passwords.

And there will be rainbows.

Caveat

I’m not a security guru.

The concepts I describe here aren’t intended to make you one, either. Things are most definitely simplified — often over-simplified — to make a point or to explain basic concepts. The devil is in the details, and you won’t find it here.

My goal is simply to explain how and why passwords are so darned important, why the password you think is strong enough probably isn’t, and what you need to do about it all.

If you’re designing a website and are looking for what you need to do to keep passwords secure, you’ve come to the wrong place.

If you’re an average computer user and you just want to keep your online life secure, then follow the “New Rules” to the left and keep your computer safe.

If you’re curious as to how some of this stuff works at a high level … read on.

The rules: old and new

For those with short attention spans, I’ll start with what you need to do differently, beginning yesterday.

PasswordIn the past, the traditional advice on passwords was:

  • Eight characters long, minimally
  • Never use names or words, at least not without mangling them somehow
  • Never use combinations of names or words, at least not without mangling them somehow
  • Use a combination of upper and lowercase letters and digits
  • Use at least one special character — something other than a letter or digit — if the system will let you

Those rules are no longer sufficient. Even if you carefully follow them all you’re left with a password that remains very susceptible to many types of compromises.

Instead:

  • 12 characters long at a minimum. I recommend 16 and use 20 myself, when possible.
  • Longer is always better
  • Use a combination of upper and lowercase letters and digits
  • Words aren’t quite as evil as they once were, as long as the password is long enough
  • Consider padding the password with a random character to make it even longer

As you can see, there’s a new emphasis on length.

If you remember nothing else from this article, let it be this: size matters: longer is better.

The dictionary attack

One reason we were told to never use normal words (or common names) in passwords is that there are simple attacks, called “dictionary attacks”, that try all words, or all combinations of words, one after the other, until something works. Many attackers jump-start this process by starting with a list of known common passwords or words used in passwords.

The Oxford dictionary tells us:

This suggests that there are, at the very least, a quarter of a million distinct English words… 1

If we stick to a single case (upper or lower, just not mixed), then a program needs to try only 250,000 times 250,000 (62.5 billion) times to be guaranteed to stumble onto a two-word password. I say “only” 62.5 billion because to a computer running with speeds measured in billions of operations a second, that’s nothing.

Yes, you can add names and random capitalization to the mix, and perhaps even insert digits, but even that slightly-obfuscated dictionary-based approach to password cracking is easily performed by today’s technology.

It’s also not necessary any more.

It’s now quite possible for hackers to try literally everything.

The brute force attack

Let’s say you’ve been really, really good and you have an eight-character password made up of completely random letters, numbers, and symbols.

Perhaps 7CxX&*Xf.

That’s a good password — perhaps the best you can do in eight characters — but it’s not a great password.

It’s estimated that such a password could be cracked (offline) in a little over 18 hours.2

It doesn’t matter that you didn’t use words or your name or anything else. Eight characters – 6,704,780,954,517,120 possible combinations and passwords – can be hacked in less than a day.

Now, the most common response I get is, “How can they try that many that fast when I get locked out after getting it wrong three times?”

Online attacks

The attacks I’ve described so far all involve the hacker having a stolen copy of some user account database that they can access on their own computer(s), offline. This allows them to attempt to crack it at extremely high speed — as fast as their computers allow.

In the online scenario, actually accessing the service directly attempting to break in, they can’t try nearly that fast. However, they can use other techniques to try fast enough for it to still be a serious issue.

For example, consider a botnet of hundreds of thousands of computers across the globe performing a distributed dictionary attack against a set of email accounts. Slowly, patiently, and from different locations so as not to trip any limit filters, they try millions of passwords against hundreds of thousands of accounts.

Eventually, they’ll hit pay dirt — especially if they try those “most common” passwords first.

Surprisingly, that’s not why eight characters is too short. A truly random eight-character password will probably protect you just fine from these types of online attacks.

It’s the offline attack you need to worry about, where your eight-character password — any eight-character password — might be cracked in microseconds.

To understand how that can be, we need to understand how passwords are stored. But first we need to realize that guessing from the outside is only one way to get password information, and it’s no longer the most common.

The database breach

Every so often, we hear of an online service that has been hacked into and had their database stolen.

What that usually means is that rather than trying to guess logins one at a time, a hacker has infiltrated the systems of the service and snatched a copy of some or all of the user accounts database.

As a result, they typically have:

  • A list of all usernames or login IDs for that system
  • A companion list of password information for those login IDs
  • Other stuff that the system may have stored for each user ID

No need to try guessing passwords slowly from the system’s public-facing login; the hackers walk away with almost all the information they need in one fell swoop.

Note I said “password information” above. Properly secured systems don’t store your password — they store something else.

Hash (hold the salt)

What a secure system stores instead of your password is called a “hash” of the password.

A hash is a mathematical function that takes an arbitrary amount of text and computes a number from it. That number has the following characteristics:

  • Any change, however small, in the data being hashed should result in a large change in the resulting hash.
  • It should never be possible to reconstruct the original data from its hash value.
  • It’s not feasible to craft data that, when hashed, would generate a specific hash value.

So, instead of storing your password “iforgot”, the system might instead store:

d9fd60a8cf992ec3d554ec2df8dd4cb345e77de7ecb4df4772920897b1d51bc5

That’s the result of an “SHA 256” hashing function. Any time you give that function “iforgot,” SHA 256 will return that number (which happens to be 256 bits long).

This is important: given only the hash, there’s no feasible way to figure out what password caused it to be generated. Hence, it’s often called a “one way” hash.

When you log in, the system passes whatever you type as your password through the hashing function, and if the resulting number matches, then you must have typed in the correct password, because it’s the only thing that could generate that number.3

Your actual password is never stored.

Unfortunately, as technology has grown more powerful, we’ve run into an interesting issue that puts this technique at risk anyway.

Rainbow tables

RainbowConsider the eight-character password.

If the password we choose allows each character to be any of 26 alphabetic upper and lowercase characters, 10 digits, and 10 special characters, that’s 72 possible characters in each position. If we have eight of those, that’s 72 to the eighth power or 722,204,136,308,736 – 722 trillion – possibilities.

It sounds like an enormity, but with today’s computational and storage power, with a stolen database and an offline attack it’s possible to:

  • Calculate all possible eight-character passwords
  • Calculate the hash value for every possible eight-character password
  • Store that in a massive table saved on disk

“Cracking” a password from a stolen database is just looking up the hash value you got from the database and fetching the corresponding password. This type of table is called a “rainbow table.”

In reality, hackers rarely need the entire table. People tend to pick bad passwords, so a smaller table with the hash values of lots and lots of common passwords is enough to crack a huge number of accounts.

The hashing algorithms are often quite standard.4 So, if your email service, your social media service, your photo-sharing service, and whatever else you log into all use the same hashing algorithm, they’ll all store the exact same hash value for your password. If that table of password hashes is ever stolen, then a quick lookup in a rainbow table will retrieve your password. Then the hackers can try it at any of those other sites, even though they were never directly breached.

As it turns out, there’s a trivial way to stop that possibility.

Add seasoning.

The Salted Hash

“Salting” is a way to obscure the information stored in a service’s password database.

Instead of computing the hash of a password, they add something to the password and hash the combination. Then, when the time comes to check that you’ve entered the right password, they take what you’ve typed in, add that same something to it, and hash the result. If the hash value matches, then the password is correct.

For example, perhaps I create my password as “iforgot”. As we saw, that gave us an SHA256 hash of

d9fd60a8cf992ec3d554ec2df8dd4cb345e77de7ecb4df4772920897b1d51bc5

If, however, the system storing my password automatically adds “mypants” to every password and hashes the result —  “iforgotmypants” — the hashed value is completely different.

9791d33a44b51d071a90cd246a3b8a4ca2491f9474ebd737bc137b82826c7e5d

When I come back to log in and enter “iforgot,” the system automatically adds “mypants”, hashes that, and the values match.

If that hash value is ever in a rainbow table somewhere, it maps to “iforgotmypants”, which is most decidedly not my password.

The item we add — in the example above, the frivolous “mypants”  — is known as “salt,” as it changes the flavor of the result of the hash function. In reality, it wouldn’t be anything so simple and it would vary from system to system (and if done really well, from account to account).

Now, with all of that as backdrop, here’s the kicker: you don’t know how the services you use encode your password, and too many do not use salt. In fact, a recent breach at an extremely well-known large online service exposed the fact that they were not using salt at all to secure their database of hashed passwords. The stolen passwords could be easily looked up via rainbow tables.

So, in the face of not knowing which services do password security correctly, how do you protect yourself?

Size matters

The single most important thing you can do to improve your password’s security is to make it longer.

The longer the better, in fact.

Recall how I said an eight-character password gave us 722 trillion possible combinations? (722,204,136,308,736, to be exact.)

A 12-character password results in 19,408,409,961,765,342,806,016 possible combinations.

There’s no rainbow table big enough for that, and there won’t be for quite some time. Short of storing your password unencrypted (which is a huge security no-no anyway), just about any hash will do, salted or not.

As a bonus, it’s extremely unlikely a dictionary attack will bother with the assorted combinations to eventually get to whatever it is you put in 12 characters.

Length doesn’t imply complexity. There’s a very strong argument that says:

****password****

is, in fact, a significantly more secure password than

7CxX&*Xf

— plus it’s easier to remember. (Although using normal words in this manner still makes me nervous for reasons I can’t quite explain. Smile)

In fact, even longer passphrases — something like:

correct horse battery staple

are perhaps best of all. (With big a hat tip and propeller twirl to that great geeky web comic XKCD.)

The bottom line (this time at the bottom)

So, what should you do?

  • Abandon eight-character passwords. They should no longer be considered secure. Period.
  • Make all passwords 12 characters or longer. (You can make a password longer and more secure by adding repeating characters if you can’t think of anything else.)

That’s the bare minimum. For bonus points:

  • Make your passwords 16 characters or longer. I use 20 characters myself whenever possible.
  • Use a password generator, such as that included with many password vaults, to make it a 16 character or longer random password.
  • Never use the same password in more than one place. If, for some reason, an ID and password gets compromised at service “A”, hackers will then run around to many, many other services and see if they can log in with it. All too frequently, they can.
  • Consider using a password vault like LastPass to remember all your unique passwords for you.

And of course, keep your PC secure. No matter how strong your password, malware such as keyloggers can capture it, and using an open WiFi hotspot without proper security could be the moral equivalent of writing your password on the wall for all to see.

Play

Download (right-click, Save-As) (Duration: 16:40 — 15.3MB)

Subscribe: Apple Podcasts | Android | RSS

Video Narration

This is an update to an article originally posted June 9, 2012

Related Posts

Footnotes & references

1: How many words are there in the English language? – Oxford Dictionaries

2: Cracking time calculations are from Password Haystacks at GRC.com.

3: Technically, this is actually not true: it is possible that two inputs will generate the same hash. However, it is statistically so extremely unlikely that it is simply a non-issue. And as stated in the hashing algorithm requirements, there’s no way to know how to pick an input value that would give you a specific hash value.

4: Trust me, you do not want to dream up your own hash. You really want to leave the math involved to trained professionals. Homebrew hashes are typically cracked within seconds.

References

Password Haystacks – GRC.com has a great look at the password-length issue, including a calculator to play with.

Comments

    • Sites that REQUIRE the use of certain characters like special characters or numbers or upper case reduce security. A given length password that can have any combination of characters on the keyboard will have more possibilities than passwords where the combinations containing no numbers, for instance, are excluded. The more requirements for certain characters the smaller the universe of possible passwords. If the hacker knows these requirements he doesn’t have to test for them.

      Reply

      • As long as those sites don’t have an upper limit on the number of characters, requiring all 4 types of characters doesn’t make it less secure. In fact, they make it more secure as they require a more complex password than many, if not most, would otherwise choose.

        Reply

  2. Great article. I just don’t understand why quite a few sites put certain limits on the password length and complexity. Recently I registered for an Adobe ID, which didn’t even allow passwords longer than 12 characters! I can’t believe they put any limits on it, since you can feed an arbitrary amount of data to the hash functions, and the only practical limit is the size of the post request you’d be sending to the server. Maybe certain characters from specific locales can’t be displayed correctly, but as long as you enter the same password every time, that too should not be an issue, right?

    Reply

  4. I thought I remember reading somewhere that starting one’s password with a space makes it nearly impossible to be stolen. What are your thoughts on this Leo?

    Nothing is impossible (for example a keylogger would still see it). Spaces bother me because many services don’t allow them in passwords and some even silently strip them off.

    Leo
    12-Jun-2012
    Reply

  5. A real eye opener and something to act on. Thanks, but one maybe naive question. When these hackers create the rainbow tables how do they get the hashing algorithm?

    The hashing algorithm’s are standard. For example SHA256 is the same everywhere. That’s why salting is important because it changes the result in a non-standard way that renders the rainbow tables useless.

    Leo
    12-Jun-2012
    Reply

  6. Wow!!!!!! I have been educated. About 8 months ago, I started using a 12-letter/digit/caps-combo password, but unfortunately, it was only AFTER my email account had been compromised.

    Reply

  7. Another good technique for developing the password is taking letters, suitably modified, from a phrase. For example, use the phrase: The quick brown fox jumped over the lazy dogs. Take the first and last letter from each word, use numbers where they look like letters, and add a character or two as well. So the password, based on the above phrase, is: Teqkbnfxjd0rte1yd$#
    If you remember the phrase and the rule, you’ve got it. Much easier than trying to remember Teqkbnfxjd0rte1yd$#

    (Note, don’t use the phrase in the example as too well known)

    Reply

  8. Great article! I’ve been trying to use 19 character passwords, but as Mike pointed out that is not always allowed. I’ve been using RoboForm to generate the passwords and occasionally using GRC’s password generator. I’ve been using 63 character passwords on my WPA2 router and my kids think I am crazy. I could do better, but my router only allows alpha-numeric so I’m limited there.

    Reply

  9. Mike, generally, it means they aren’t encrypting your password at all if they use character limits.

    I’m not so sure on that. It could be, absolutely, but I’ve seen some pretty strange limits for arbitrary reasons. Regardless short password length limits – whatever the reason – are very annoying and hamper security.

    Leo
    12-Jun-2012
    Reply

  10. But my bank only allows 8 characters and only upper and lower case letters and numbers.

    If that’s true, it’s horrible and I’d seriously consider using another bank. Or at least another bank for online transactions and instructing your current bank to DISABLE your online access until they implement a more robust password / security mechanism.

    Leo
    12-Jun-2012
    Reply

  11. Many of my accounts do not allow long passwords and some no special characters. How do we get them “on board”/

    Complain. Or switch services (letting them know why as you leave.)

    Leo
    12-Jun-2012
    Reply

    • It’s my understanding that some sites, financial institutions in my experience, take increased precautions the first time you log in, usually some form of 2 factor authentication. Perhaps forcing you to answer a security question you initially set up or responding to an SMS message to your phone number of record. Once authenticated the site will place an encrypted cookie on your machine with a unique token, essentially a second password. During future log in’s the site obtains your typed in password and uses that to access your cookie to authenticate you. This is why, when you access the site from a new device, you have to go through the initial authentication process again. A hacker trying to log in from a new machine would have to know how to satisfy the authentication requirements which would involve knowing more than just the password.

      Reply

  12. Alarmingly, it’s most often the big financial institutions (you know…where you do your online banking?!?!) that DON’T allow passwords longer than 8 characters…..and DON’T allow “special” characters…..i.e. anything other than lower-case letters and numbers. Pathetic!
    Shame on you CIBC and others!

    Reply

  13. Tony and all: If your bank is only allowing 8 characters, then the best thing to do is make it the strongest 8 you can. My friends and I frequent a free site called passwordmeter.com that will tell you just how strong your password is and how to make it stronger, explaining the portions of it that make it good or bad. It seems spot on with what Leo teaches, but was designed in 8-character days. Good luck.

    Reply

  14. Many sites will not allow p/w’s longer than 8, and worse, they won’t allow symbols.

    That said, if your site does allow more length, and you like your 8 digit p/w, simply repeat it.

    So, ‘mynameis’ becomes
    mynameismynameismynameis

    That’s 24 characters with little effort.

    Reply

  15. Also, if the account contains financial data, change your password every so often.

    If you want to use a virtual keyboard to input your passwords, get a secure one. Look for: clipboard logger protection, screen logger protection, mouse position protection, and password field protection.

    Reply

  16. Thanks Leo – just a quick word of appreciation. I have been using computers since the days of the Sinclair ZX81, and now-a-days use it (NOT the ZX81) intensively for banking, bill paying, etc, etc, etc. I thought my passwords were pretty good, but you have opened up a whole issue for me. As a direct result of your article I am rehashing (no pun intended) my entire password strategy. After almost 30 years hobbying with computers I thought I knew enough to be OK, but you have taught me something in this article I really needed to know. My grateful thanks. Oh, and can I also add that I really appreciate your attitude when dealing with folk who are obviously just beginners with computing. I like how gracious and patient you are with them, and it makes me feel confident to ask whatever I need to ask – assuming I can’t find the answer already in your outstanding web site. Many thanks.

    Reply

    • I also built a ZX-81, complete with a computer tape recorder for storage from Radio Shack. I also added the 16K memory expansion module. Fun stuff.

      Reply

  17. My own passwords are always over 40 places long and I’d use a pass phrase that you can never forget example [ I dont use this one ]
    “I said lookIsaidLoveIsaidDarlIsaidPetIsaidlookSamwiseGangy” A combinathion of my favorite comedy show of old and lord of the rings. I dont care how fast an offline hacking computer is – there is no way in my lifetime you can stummble on something this long – with salted hash yet.

    Reply

  18. I do not keep passwords on the machine; I record them in an XLS file on a 3.5-inch floppy disc; although lately I have also left a copy on a thumb-drive I occasionally use for other purposes (think again, Les!). That way I never type-in a password for the delectation of visiting keyloggers, I use CTRL-C/CTRL-V; and lately I have taken to using a hashed (thank you, Leo!) version of foreign town names and numbers from dates in my life, scattergunned in and stored on three discs and the thumb-drive, which is the master copy and updated about once a month. I have never been hacked. What a splendid service you supply! Cheers, Les from SandGroperLand.

    Reply

  19. For many (10+) years I used one password (not a word) for strictly confidential stuff and one other for everything else. Then, only about a year ago, I started to use KeePass. It’s great: one password to get into KeePass (and local TrueCrypt volumes), and different ones generated by KeePass for everything else.

    KeePass also has the advantage that use can use it to plant username and password into any browser.

    The only downside to KeePass is that it has so many options that it has so many complexities, like customised scripts for specific situations, that it looks more complex to use than it actually is. It’s actually easy to get started – there’s a First Steps Tutorial, for those who, unlike me, have the sense to read it.

    And it’s all free, open source, you name it …

    Reply

  21. @Mary
    Towards the end of the article (the last bullet point) Leo puts in a plug for LastPass and RoboForm.

    Reply

  22. This sounds a bit like having a 24 hour security lock on your front door – ie after you shut it you cannot open it again for at least 24 hours. Very secure, but a little inconvenient.
    It’s relatively easy to have secure passwords when you are sitting at your PC, either by using RoboForm or KeePass etc, or by using your own list or encrypted spreadsheet etc. But if you have 100 different 12 character passwords how do you remember the one you need when you are out at an office or abroad using someone elses PC? Can you keep all your passwords online, so that you can access them from anywhere using just one 12 character password?

    Many of the password safes have applications for your smartphone. I use LastPass which does, and if I ever need a password while I’m out somewhere it’s there in my pocket.

    Leo
    14-Jun-2012
    Reply

  23. good article on hacking passwords, but you never fully explain why we get locked out after 3 wrong tries and a hacker doesn’t

    They do. They work around that by attacking several different accounts at one, slowly, so as not to get locked out. Or they steal the database from the service provider which bypasses that lockout mechanism.

    Leo
    14-Jun-2012
    Reply

  24. Thanks Leo. Your article was very helpful. I will lengthen all my passwords to 12 characters starting today. Also, signed up with LastPass to help manage these new passwords.

    Reply

  26. I agree with almost everything here, except that:

    (1): I suggest a 16, rather than 12, character minimum length for passphrases; and

    (2): I STILL suggest —

    (a) Continuing to respell/obfuscate words wherever possible (hey, why make things any easier on the “crackers” — don’t call them “hackers!” — than they have to be???);

    (b) Adding capitals, numbers, punctuation, and special symbols (such as &, #, @, +, $, etc., which for the most part aren’t ordinary punctuation marks normally used in sentences).

    The basic premise that “the longer the passphrase, the better” is true enough; but it does NOT vitiate the concurrent principle that “complexity increases the security of ANY passphrase.”

    And DO allow me to once again recommend my favorite book on this topic:
    “Perfect Passwords: Selection, Protection, Authentication” by Mark Burnett ($20.09),
    available for sale at Amazon.COM.

    Reply

  27. Good luck trying to use the logical rules of passwords.
    Schwab allows only eight characters and nothing but numbers and letters.
    Fidelity does not allow more than twelve characters and nothing but numbers and letters.
    Vanguard will take almost anything but only uses the first ten characters.
    The three financial services rely upon the three-tries then lock-out feature.
    I can’t afford to change companies but will if any of them improve.
    Schwab really worries me even though they have a “guarantee” of refund if someone hacks the account.

    Reply

    • See my reply to Ed, June 12, 2012.

      There is another “password” associated with your account in a cookie on your machine. Delete all the Schwab cookies and try to log in. You’ll have to re-authenticate yourself with more than your password.

      Reply

  28. At times I just get annoyed at the fact that we are living in a password world. Almost everything is only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. You can opt for a password manager but the only real solution is that these companies need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.

    Reply

  29. To follow the “different password on each site” rule, but easily remember them all, I simply use [My*Strong*Long*and*Secure*Password] on each one, but prefaced or suffixed (or both) by a word relating to the site: like “citbnk” or “gmal” or similar.

    Reply

    • That’s not a bad idea. Would that be the same as a custom salt?
      I am currently using something like +Phrasepass-)(-212MH97857+
      Where Phrasepass is something like IltsoabBfC = I love the smell of a beautiful Balsam for Christmas
      and 212MH97857 is something like my Grandfather’s phone number when I was a Kid MH = Murray Hill, long defunct and would never appear in any file on my PC or cloud,–my wife of 30 years wouldn’t even be able to guess it though I have told her.
      Next time I overhaul my important passwords I think I’ll make them something like ^Phrasepass=}sitename{=MH59879857^
      I will never forget the phrase and phone but see a potential snag; two years later, Is the site Google or gmail or maps or etc? They all use the same credentials.
      That’s why I still need LastPass. Also, with LastPass, I only have to type it a couple times per week, so the very long length is OK.
      For my low (nothing but email and pass, like magazines) and medium (not financial and minimal other info) risk sites that I often have to type on phone or table; something similar but shorter. LastPass for mobile sucks, but I had tried Dashlane and found it no better.
      i am interested in your thoughts. Thanks.

      Reply

      • One last thing: on someone else’s computer, in incognito mode, search “Phrasepass” to assure it’s not a valid word in any language/dictionary. You may have to turn on all languages in the search engine to do that. My Phrasepass is from an obscure favorite book, and not the first or last line, just something I always found clever or particularly well written, and memorable to me. Do the Asian hackers read Fowles and Grey?

        Reply

  30. You have many articles about creating passwords, so this may be on the wrong one.

    Here is something I copied from a government agency on creating passwords that you can remember.

    PASSWORD TIP
    Here’s one way to create a strong password you’ll remember: Think of a sentence or phrase that’s meaningful to you (i.e., my oldest son Zac will be 15 years old on May 30!). Use the first letter of each word to create a password (i.e., mosZwb15yooM30!). Then change some of the letters to similar special characters (i.e., mo$Zwb15yooM30!). Warning: Do not use this example as your password. Now that it’s been widely published, a hacker is likely to try it.

    Add what Duval said to remember which account is involved.

    Numbers and letters that can easily be confused – I (cap eye), l (small ell) and 1 (one); O (cap oh) and 0 (zero) – use the alternate form, such as i for I, L for l, o for O. This also adds a little extra security to the password.

    Reply

  31. I’m perplexed about Roboform and Lastpass. They say that they save your password and automatically fill in the information when you visit a site. How would this protect me if someone stole my computer? Also, my browser already auto fills my log-in and password if I want it to. How are Roboform and Lastpass different?

    Reply

  35. >In reality, it wouldn’t be anything so simple and it would vary from
    >system to system (and if done really well, from account to account).

    I don’t see how they could use a different salt value for different users without storing the salt value in a way that hackers could see it. For that matter, even with a static salt value, would that not need to be hardwired into the code?

    Reply

    • I don’t know how it’s actually done but one way might be to add a part of the user ID into the hashing algorithm.

      Reply

    • I’ve often wonder this as well. It really depends on the hack, I think. Gaining access to the database contents is one thing. Getting access to the actual code that the site might use in its implementation is a completely different ball of wax. Yes, I would assume that the static value (or algorithm for per-user values) would be visible if the code were exposed. But for most hacks the code is not exposed — only the database.

      Reply

  37. A good solution I read about years ago is to use some sort of a pattern as the base for your password, then just add extra characters to the pattern. That way you don’t need a password vault. You can safely write down either just the extra characters, or just “pattern” followed by your extra characters (e.g. if your pattern is HiHowAreU and the extra characters for one of your passwords are 76Trombones, then you’d just write down either “76Trombones” or “pattern76Trombones”).

    Reply

  38. Very well written article. You have never stopped to amaze me, Leo. Having said that, this brings me to an even more pressing question for which, I never seemed to find a definitive answer to my satisfaction: How do I find out or know that my computer is free of keyloggers?. Would WD or MBAM find them if there are any, or do you have a referenced article on the topic where I can read about it?.

    Understand that this is the biggest security concern I have about my computer nowadays.

    Reply

    • First there’s nothing special about keyloggersthey’re just one form of malware.

      Now, there’s no way to absolutely know or prove that you machine doesn’t have malware. None. You can’t prove a negative.

      Also, there’s no anti-malware tool that is guaranteed to catch every possible malware. None. Period. See I Run Anti-virus Software. Why do I Still Sometimes Get Infected?

      The best thing to do is to do all the things we so routinely admonish people to do to keep your computer safe: run anti-malware tools, security software, keep your system as up to date as possible, backup, practice good behavior and so on. Basically everything outlined in Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet. Do that reliably and while you should never reduce your vigilance, you can reduce your worry or concern.

      Reply

      • Thanks Leo for taking the time to answer. I follow religiously everything mentioned in your last paragraph.

        Reply

  39. Does it make a difference if we connect words? In other words “correct horse battery staple” becomes “correcthorsebatterystaple”. Or do hacker programs take that into account? What about “CorrectHorseBatteryStaple”?

    Reply

    • That would work but it would be three characters shorter 🙂 . In fact for some strange reason, some services don’t accept spaces in passwords. A safer password might be “C0rr3ctH0rs3BatteryStap13′ with the quotes. PS, don’t use that password now that it’s out on the Web 🙂 . You can use something similar.

      Reply

    • Who knows what “hacker programs” take into account? As Mark points out removing spaces makes it three characters shorter, and length is perhaps the most important characteristic of all. A password this long is, today, quite secure (as long as it’s not this exact password, of course). If you want to make it more secure … add another word. “Correct Horse Battery Staple Warehouse”. 🙂

      Reply

  41. Please I need to create a strong password I know how just need access to field to do this
    Then there is no help for me then?

    Reply

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Your email address will not be published. Required fields are marked *