If special characters are not allowed in a password, what hints do you have
to make the most secure password?
In this excerpt from
Answercast #34, I look at the most important technique for making a safe
A secure password
That’s actually pretty easy. (It’s also unfortunately, fairly common. I’ve seen a number of sites that restrict your password to only letters and numbers.)
- The answer’s pretty simple: just make your password longer.
Where you might be tempted to enter in only eight characters or perhaps ten, add a couple of more: go for twelve or fourteen or sixteen. It doesn’t have to be even numbers. Go for fifteen if you like.
The important thing here is that:
- Length matters more than other techniques we’ve been introduced to to make sure our passwords are strong.
It’s been theorized that an eight-character password that has completely random characters in it (including special characters) is technically less secure than, say, a ten-character or twelve-character password that has only alphanumerics in it.
So simply make your password longer.
Now, unfortunately, and I’m seeing this from time to time as well:
- Some services don’t allow you to have an arbitrarily long password.
There’s actually no reason for that – no technical reason for that and yet some of systems have that. If you’re limited to an eight-character or ten-character password, then:
Maximize the length of your password to as long as that system will accept, and then
Make sure to use as many different kinds of characters as they do allow.
But, in general, if you can get yourself up to 12 characters, I’m actually OK with you using only alphanumeric characters.
Next from Answercast 34 – My machine crashes randomly and it’s not overheating, what else should I look at?
5 comments on “How do I make a secure password if I can't use special characters?”
You touched on the obvious answer, but didn’t explicitly state it.
USE UPPER CASE.
Many of the recently published hacks point out that most passwords are lowercase. Simply adding a mix of upper case letters to your password significantly reduces the chance of hacks, especially if they are not first or last letters.
As explained on Steve Gibson’s site, https://www.grc.com/haystack.htm, in addition to using at least one capital and one lower case letter, periods, commas and spaces are just as effective at adding length as special characters, and length is the primary protection. 123456 is trivial. 1 2 3 4 5 6 or 22.214.171.124.5.6. are not.
Dear Leo, you that Internet Safety cost U4 2,99 on Kindle, Kindle charge U4 4,99 for the book.
I think that you have covered most of the issues re. passwords (apart from obvious advice such as not posting passwords over the net, not writing them down on “sticky notes” or not giving them to colleagues when you’re going on vacation).
There’s one thing I remember from long long time ago (i.e. the age of the Commodore 64 and the likes): using backspaces in such a way that on screen the characters following those backspaces SEEMED to be overwritten. Wouldn’t that be a good idea to implement on today’s sites or incorparate in enduser programs that use password protection? Perhaps someone might even earn a buck or two for writing the code, or even better: make it available to the general public ;-)
Of course it wouldn’t keep malicious hackers from stealing passwords nor keep users and sysadmins from continuing “bad practice”…
As one of the more paranoid web users out here, I have pretty much stayed away from using my Hotmail account for anything really important because of their insistence on limiting passcodes to 16 characters. (Most of the passcodes for my other email accounts are 30+ characters.) And I’m also wary because of the frequency with which Hotmail accounts are attacked and successfully cracked (or hacked). I often think of my Hotmail account like my grandpappy’s old country house: Doors rarely locked (i.e. poor security) but no articles stolen. IOW, I feel like my Hotmail account isn’t necessarily *safe*; it’s just not (yet) targeted.
But you’re saying that 15-16 characters can actually succeed at being a good, safe, secure passcode these days despite all the brute force capabilities and such that exist ? You’d have no worries at all with a Hotmail account with such a passcode ?