Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Long Should a Password Be?

For a long time, the common thinking was that the best, most practical passwords consisted of a random combination of upper and lower-case letters, numbers, and a special character or two. If so composed, password length needed to be only eight characters.

Randomness remains important, but as it turns out, size matters more.

A password today should have a minimum of 12 characters, and ideally, 16 or even more.

Become a Patron of Ask Leo! and go ad-free!

Large-scale account hacks

When you hear about large numbers of accounts being stolen by a hack at some service provider, you are naturally concerned that the hacker might now have access to your account names and passwords. If the service was storing your actual passwords, that could indeed be the case. (As I’ve said before, if a service is storing your actual passwords1, then they simply don’t understand security, or they have made some horrifically bad decisions.)

In fact, most services store an encrypted (technically, a “hashed”) form of your password. For example, if my password were “password” (and that’s a very poor password, of course), then a service might store “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”, which is the hash value that corresponds to that password.2

What that means is that hackers do not get a list of user names and passwords. What they get is a list of usernames and password hashes.

And what’s great about hashes is that you can calculate a hash from a password, but you cannot do the reverse – you cannot calculate the password from the hash.

As a result, one would think that by being hashed it’d be pretty unhackable, right?

Sadly, not so much.

Dictionary attacks

The most common type of password attack is simply a high-speed guessing game. This doesn’t work when pounding on an actual log-in page; they’re slow, and will quickly deny further access after too many failures. But this technique works wonderfully if the hacker has the entire database of account and password hashes sitting on his computer.

These attacks involve starting with an exhaustive list of possible words and known common passwords (including names, profanities, acronyms, and more) and perhaps a few rules to try interesting and common ways that people try to obfuscate words. They calculate the hash of each guess, and if it matches what was found in the compromised database of account information that they’re working against, they’ve figured out the password for that account.

As we’ll see in a moment, it’s easy for hackers to make an amazing number of guesses is a short amount of time.

That’s why you’re not using that kind of password, right?

That’s why a password created from a totally random combination of characters is best. It forces hackers to move on to a true brute force attack of every possible combination to gain access.

Brute force attacks

Computers are fast. In fact, the computer on your desk is so fast that its ability to do simple operations is measured in terms of billions of operations per second.

Creating a password hash is not a simple operation, on purpose. However, it’s still something that can be done very quickly on most machines today. Spread the work over a number of machines – perhaps a botnet – and the amount of processing power that can be thrown at password cracking is amazing.

The net impact is that it’s now feasible to calculate the encrypted hash values for all possible eight-character passwords comprised of upper and lowercase alphabetic characters and digits.

Sixty-two possible characters (26 lower case, 26 upper case, 10 digits), in each of the eight positions gives us 221,919,451,578,0903, or over 221 trillion, combinations.4

A Good Password (for now)This seems like a lot, until you realize that an off-line attack, which is easily performed once you’ve stolen a database of usernames and encrypted passwords, can be completed in a few hours. (This assumes technology that can “guess” something like 10 billion passwords per second – which, for those performing these kinds of attacks, is quite possible.)

It doesn’t matter what your password is; if it’s eight characters and constructed using upper and lower case letters and numbers, the hackers now have it – even if it was hashed by the service they stole it from.

Why 12 is better and 16 better still

As we’ve seen, eight-character passwords give you over 221 trillion combinations, which can be reasonably brute-force guessed offline in hours.

Twelve characters gives you over three sextillion (3,279,156,381,453,603,096,810). The offline brute-force guessing time in this case would be measured in centuries.

Sixteen takes the calculation off the chart. Today.

That’s why 16 is better than 12, and both are better than eight.

What about special characters?

I did leave out special characters, it’s true.

Let’s say that the system you’re using allows you to use any of 10 different “special characters” in addition to A-Z, a-z, and 0-9. Now, instead of 62 characters, we have 72 possibilities per position.

That takes us to 700 trillion possibilities.

Compare that to sticking with the original 62 letters and numbers, but adding only a single character to make it a nine-character password.

That takes us to over 13 quadrillion possibilities.

Yes, adding and using special characters makes your password better, but significantly better yet is to simply add one more character.

So add two. Or six. 🙂

Long passwords are good, pass-phrases are better

The difference is really a semantic one, but in general:

  • A password is a random string of characters.
  • A pass-phrase is a longer string of words.

Why passphrase? Because they’re easier to remember, and they’re easier to make long – and as we saw, password length is perhaps the single easiest way to increase the security of a password.

“BT6aKgcAN44VK4yw” is a very nice, 16-character long, secure password that’s difficult to remember. In fact, the only way to use this is with a password manager of some sort that remembers it for you.

A Good, Memorable Pass-phraseOn the other hand, “Its fleece was white as you know nothing John Snow”, at 50 characters, is wonderfully long, secure, and most of all, memorable. Much like the now canonical example of “Correct Horse Battery Staple“, you might even have a difficult time forgetting it5.

The biggest problem with passphrases? Many services that use passwords don’t allow spaces and don’t allow such lengthy passwords.

Shouldn’t services fix this and do better?

Absolutely, they should. And many do.

As I’ve stated above, passwords shouldn’t be kept in plain text anywhere by the service at all … yet some do.

There are techniques that make brute-force attacks significantly harder … and yet, many use techniques which are easier than the example above.

There are services that do a great job of keeping your information secure. There are also services that don’t. The problem is you really can’t be certain which is which.

To be safe, you have to act like they’re all at risk.

The bottom line

The bottom line for staying safe is simply this:

  • Don’t trust that the service you’re using is handling passwords properly. While many do, it’s become painfully clear that many do not, and you won’t know which kind you’re dealing with until it’s too late.
  • Use longer passwords: 12 characters minimum, 16 if at all possible.
  • Use even longer passphrases where they’re supported, or where information is particularly sensitive. I use one for sensitive Truecrypt volumes, for example.
  • Use a different password for each different site login you have. That way, a password compromised on one service won’t give hackers access to everything else.

Even the best eight-character passwords should no longer be considered secure. Twelve is “good enough for now”, but you really should consider moving to 16 for the long run.

Footnotes & references

1: If they can respond to an “I forgot my password” request with your actual, current password, then they have stored your password. This is bad. Best practice is to reset it to something new, either via a reset link, or by emailing a new password to you exactly once, after which the service no longer has it.

2: For the technically curious, I’m using an un-salted sha256 as the hashing function here. That’s technically better than md5 or sha1 that’s commonly used.

3: OK, OK. Technically, the number is actually 221,919,451,578,090 + 3,579,345,993,194 + 57,731,386,986 + 931,151,402 + 15,018,570 + 242,234 + 3,844 + 62. Then we also add in the possibilities of seven-character passwords, six, five, four, and so on. I’m not doing the math. It’s around 225 trillion.

4: Many of the numbers and attack estimates here come from or are based on GRC.com’s excellent Password Haystack page. Included there are links to an excellent Security Now! podcast segment discussing password length and how size really does matter.

5: Particularly if you’re a Game of Thrones fan. 🙂 And yes, I know that John Snow is actually Jon Snow. That’s another level of handy, yet easy to remember, obfuscation.

44 comments on “How Long Should a Password Be?”

  1. I don’t mind any recommendations on passwords…what I detest is these sites FORCING you to conform to their password rules…those of us who aren’t overly concerned about getting hacked and have been around awhile often prefer an old password we came up with years ago that may be 4 or 6 characters in length…it’s very aggravating to have sites NOT ALLOW YOU to use it

    They’re covering their behinds. You know that someone less savvy will choose a short password, get hacked, and then blame it on the service. I dislike the special character requirement. I’d rather be allowed to use alphanumeric only (more typeable on mobile devices) but enforce a longer password length, which as we see above would likely be more secure.

    Leo
    14-Jun-2011

  2. Actually, any password less than 14 characters is easily hackable. 14 characters is the old NTLM limit and there are many pre-hashed disctionary files out there. Personally I use 16 characters – at least 2 upper case, at least 2 lower case, at lease 2 numbers, at lease 2 special characters. A product such as L0ftCrack cannot crack those even when it is the only password in the Windows system and running continuously on a multi-core server !

  3. You wrote:-
    > most services will store an encrypted
    > (technically, a “hashed”) form of your
    > password

    “encrypted” sounds more “technical” than “hashed” to me – but what sort of encryption is it, that turns an 8-character password into a 64-character one ?

    And is it 64 even for a 12-character one ?

    Well, technically, encryption and hashing are two distinct things. Encryption is bi-directional – that which is encrypted can be decrypted. A hash is a mathmatical function that generates a unique *fixed length* number from any input.

    Leo
    14-Jun-2011

  4. Wouldn’t just 12 alpha characters all lower or all upper work? Since the person hacking doesn’t know that there aren’t numbers or special characters, the possibility of having them would make them still have to check.

    My thinking as well, but I don’t want to commit to it just yet. Smile

    Leo
    14-Jun-2011

  5. @Robin Clay (and Leo’s response#
    Hackers don’t have to check for all 4 groups of characters #upper, lower, numbers, specials)…if they’re approach to hacking is to ONLY use lower case letters during their crack attempts, then a password of “123” is far more secure to that particular hack attempt than a password of “lowercasepass”. Hopefully that perspective discourages you from only using one of the four available groups. IMHO.

  6. …in response to my previous post…

    I notice that sometimes during the preview of a post, certain symbols don’t appear correctly, like paranthesis and apostrophes. Nevertheless, in the past I’d click the POST button after previewing and they’d post just fine. My last post however still has some “pound” signs instead of “paranthesis”….just FLI (for Leo’s information) 😛

  7. Wow. Thanx. I’ve made a couple of wrong assumptions. Now, even before finishing this news letter, I’m going to go and change the password on my Vet Health page. Again, Thanx.

  8. Many websites lock you out after 3 attempts, so how can a brute force attack work under those conditions?

    Most brute force attacks are not against website login pages, but rather are performed offline when a hacker has stolen a list of usernames and encrypted or hashed passwords.

    Leo
    17-Jun-2011

  9. @Dan Klein

    In the article, Leo’s suggesting that many of these types of attacks (if not all) are done “offline”. The hacker get his hands on the data and then goes to work with it in a private (or controlled) setting.

    That being said, I can assure you that there are ways for hackers to work online too. Before we purchased a robust firewall for our business network, as the IT Manager I witnessed at least one or two attempts per month on our network. In about 2 or 3 minutes time, the hacker was able to produce thousands of attempts at username/password combos. I’m guessing this is less preferred because one thousand attempts a minute is a lot to you and me, but compared to the numbers Leo explains in the article, it would take lifetimes to crack even a moderately secure password. Like you suggest Dan, they should be getting locked out because I do if I fail 5 times. However, on less secure site (like ours was before a good firewall was implemented) they have methods that allow them to go “underneath” the interface that checks their attempts.

  10. I had a good relative long (can’t say exactly how long for security reasons) all letter password that I began to feel maybe should be upgraded so I added a friend’s old phone number and some punctuation. Very easy to remember and looooooooonnnnnngggggggg. For the guy who uses the Bible Password. Could be crackable. Add a phone number or something easy to remember.

  11. Isn’t it always the simple things that get overlooked and yet can be the root of so many problems if not properly implemented? Very thought-provoking – yet easy to comprehend article, Leo. Many thanks for these pearls (that are hopefully not before swine and we will all act accordingly). Keep up the good work.. 🙂

  12. Quote: “•Use a different password for each different site login you have. That way a password compromised on one service won’t give hackers access to everything else.”

    I think that is completely unreasonable. A different pw for “every site”? In my case, that’s almost a 100 different pw’s. Not very practical

    • @Robertprice
      Pwd for every site is very possible & practical. And simple 🙂 Not just sites even. You can create Unique pass for every account. That’s what I do. and this is how I do it!!
      CREATE YOUR OWN ALGORITHM (consider my algorithm 3 years ago)
      Step (1)
      Take the last 3 characters of the site name in reverse order & Capitalize them. Do not add the extension. By extension I mean something like .gh, .com,.africa, .us, .net, .org, .whatever)
      Something like this:
      The last 3 characters of:
      a) http://www.askleo.com = leo The reverse order is oel. Capitalize to get OEL
      b) http://www.WebExtremist.com = ist The reverse order is tsi. Capitalize to get TSI
      c) http://www.gmail.com = ail The reverse order is lia. Capitalize to get LIA
      d) http://www.hotmail.com = ail The reverse order is lia. Capitalize to get LIA

      Step (2)
      Take the first 3 characters of the site name.
      The first 3 characters of:
      a) http://www.askleo.com = ask
      b) http://www.webextremist.com = web
      c) http://www.gmail.com = gma
      d) http://www.hotmail.com = hot

      Point (3)
      Concatenate Point (1) and Point (2) in the order of numbering.
      Thus,
      a) OEL and ask = OEL&ask
      b) TSI and web = TSI&web
      c) LIA and gma = LIA&gma
      d) LIA and hot = LIA&hot

      Point (4)
      Count the length of the characters in the site name. Prefix the length with the character “@”. And put in braces. Add result to Point (3) above
      Thus,
      a) Length of http://www.askleo.com = 14 Characters. When in bracket (14) When Prefix with @ gives (@14)
      b) Length of http://www.webextremist.com = 20 Characters. When in bracket (20) When Prefix with @ gives (@20)
      c) Length of http://www.gmail.com = 13 Characters. When in Bracket (13) When Prefix with @ gives (@13)
      d) length of http://www.hotmail.com = 15 Characters. When in bracket (15) When Prefix with @ gives (@15)

      Weldone! Your final password is therefore
      a) = OEL&ask(@14) (When you want to login to askleo.com)
      b) = TSI&web(@20) (When you want to login to webextremist.com)
      c) = LIA&gma(@13) (When you want to login to gmail.com)
      d) = LIA&hot(@15) (When you want to login to hotmail.com)

      Though not strong algorithm, this should give u fair idea. You can generate your own which will guarantee you 500+ unique pass. The good news here
      is, you don’t have to remember even a single password. You only remember them when you visit the site
      My current Algo gives me 21 length character pass. Very complex to computer but simple for human mind to remember

      • Felt happy reading your comments regarding the algorithm based password. I totally agree and that’s exactly what I do too : )
        One thing however that I realized is that my passwords used to be to only 8-10 characters. I should now increase the string length to 12 or more characters.
        Cheers!

  13. @robertprice
    That’s where password managers such as LasPass, RoboForm and KeePass come in. You have to remember only one password and the program remembers the rest for you. Warning keep several backups of your password file.

    I’m not saying it’s necessary to have a different password for every login as that is still much discussed point, I’m just saying how it can be done. I, for example, have one weak password for forum log-ins where I don’t care if it gets hacked. For important things like my emails and my banks, they all have a similar but unique password ie. the same password but with a unique identifier for each account.

  14. For RobertPrice:

    Quote: “‘Use a different password for each different site login you have. That way a password compromised on one service won’t give hackers access to everything else.’

    “I think that is completely unreasonable. A different pw for “every site”? In my case, that’s almost a 100 different pw’s. Not very practical.”

    Dude! That’s what programs like Roboform or (my personal favorite) KeePass Password Safe are for! Sheesh!

    For Leo:

    Twelve is good — but I understand that 16  should be the minimum, due to rainbow tables.

    I’m a little surprised that you didn’t mention rainbow tables in your article.

    Rainbow tables  essentially are databases in which hackers have computed the all hashes for brute-force attacks on all passwords up to a given length in advance. They make the breaking of passwords both much  easier, and much  faster. The book “Perfect Passwords: Selection, Protection, Authentication”  by Mark Burnett ($18.96)” recommends a 16-character minimum length password for this reason, but then, it was written in 2005 — so I would expect by now that the standard rainbow tables have been rather expanded by now!!! I would very seriously  recommend a twenty-character password by now.

    Really, folks: There is NO  such thing as “a password too long” — unless it’s so long that it’s rejected by the system you’re feeding it to.

    Even using a Rainbow table of all possible passwords, once you get beyond 10 or 12 characters the size of the table becomes pretty impractical. A 12 character password would still need a rainbow table of three sextillion entries to be exhaustive. Most rainbow tables must limit focus to (extremely large) numbers of common passwords. But 16 — sure, go for it! As you say, there’s no such thing as a password that’s too long … unless the site you’re using it on places some kind of limit on it.

    Leo
    17-Jun-2011

  15. Good article Leo.
    It Is worth noting that, in some unix environments (eg AIX) you can set a long password but the system will only evaluate the first eight characters (the rest are ignored).

    Yeah, every so often I hear of systems like that. Typically they’re based on really old technology where longer passwords were not feasible for various reasons. Today there’s no excuse.

    Leo
    17-Jun-2011

  16. so do password crackers waste their time trying 4 character passwords?…if not, it seems a shorter password may be more secure…it’s all really about what their algorithms do, isn’t it?

  17. Hey Leo, great article!

    I totally agree with two main points that Leo has made:

    1. The password has to be long — the longer, the better. Personally, I use at least a minimum of 16 characters, but in most cases, I use more, even 22 or 24 characters. Every online site is different in what they allow. For example, the last that I knew, Hotmail only allows a 16-character maximum, but other websites allow longer, which in that case, I will always generate passcodes that to the maximal length a website will allow. I suggest contacting the website or reading their help section to find out what the maximal passcode they will allow.

    Also, like Leo suggested, I would make all passcodes as a random combination of majuscule and miniscule letters as well as numbers. I admit that I tend to shy away from special characters, as some websites do not seem to understand special characters. There are so many special characters too, even way more than what is on an ordinary qwerty keyboard. And, if we start to discuss non-standard and non-Latin letters, then there are even more. Seemingly, many servers and websites do not understand those characters either.

    For the benefit of persons reading this article, I would like to mention two great passcode generators that I like to use:

    Chaos Generator by SafeSoft:
    http://safechaos.com/cg.htm

    PassGEN by Abhishek:
    http://myfreewares.weebly.com/passgen.html

    Both of these softwares are similar in appearance and how they work. And, they are both easy to use. They can generate passwords of any length and as many at one time as you would like. I normally like to produce a list of over a thousand passcodes at a time, then save them to a notepad and pick out ones that I want to use. Also, I will mention that I use Zone Alarm firewall, and neither of these two softwares have ever suddenly out-of-the-blue “phoned home”, otherwise, ZA would have alerted me.

    I have developed my own manual password management system, as I am not willing to use password managers that are supposedly freeware. I am not willing to wake up one day to find software on my computer that was once freeware to now be a paid version, thereby leaving me locked out of my passcodes. I use a program called Mince, in order to manually archive and save my passcodes onto notepads. It can be found at:

    http://bluefive.pair.com/mince.htm

    I admit that my methods of online security are somewhat intensive and laborious, but me and my computers are worth that effort I put into online security.

    Also, I recommend changing your account passcodes at least monthly or quarterly too. As far as robertprice’s comments about having too many different passcodes as being unreasonable. Perhaps you are on too many websites in the first place. Good online security and living a virtual life are nearly incompatible. And, this brings me to the second point that I agree with Leo on…

    2. Use a different passcode for each online account you have. Why is that? For example, websites such as Plenty of Fish are easily hacked into. Once a hacker is into someone’s account, they can easily find your email address in your account information section. And, if your email passcode is the same as your PoF account passcode, then wal-lah: the hacker also has your email passcode too.

    This is especially problematic nowadays as there is how a great deal of spam and phish is being sent out via normal email. Spammers and phishers like to use “established email accounts” nowadays for their well-developed contact list. Unsuspecting victims (the email recipients) imagine that they got an email from someone they know and trust, only to find out cold, hard reality once they mistakenly click a link or open an email attachment imagining that they received the email from someone they trusted.

    If an email account had been legitimate for years but suddenly is hijacked, then those spammers are harder to be detected by ordinary spam filters in the email industry. Email account hijacking nowadays is a dime a dozen. And sadly, many people are too irresponsible to let the people on their contact list to know their account was hijacked in order to ignore any emails from that account.

    So, I totally reaffirm Leo’s idea of keeping different passcodes for different accounts. Even if you have online throwaway accounts, if they are linked in any way to some other account of yours that you value, then that is a potential security breach.

    I personally use Lavabit email accounts, as in the past two years that I have had my email with them, I have never once received a spam or phishing email. Seemingly, they have a bullet-proof email account system. I have not found a better email carrier on the internet yet. However, I still change my passcodes monthly or quarterly, depending on how I use the account.

    Also, I highly suggest keeping a good antivirus, firewall and several anti-spyware engines on your computer too. Getting a trojan or keylogger in your computer can be very devastating to your computer and personal security too. I always say that old-fashioned viruses were only meant to wreck your computer. But nowadays, adware and spyware are meant to wreck your life!

    I feel it is a matter of self-respect and personal responsibility to keep my computers clean and fit for duty. Many people do not, so you cannot rely on your online virtual friends to not infect your computer with theirs. I feel that sharing computers nowadays is like someone who is sharing their toothbrush and underware with someone else. As far as I am concerned, computers are not toys whatsoever. As Americans, it is our second amendment right and responsibility to protect ourselves. Often times, using my brain and some common sense are my best line of defense, especially in the cyber world!

  18. Ik see KeePass Password Safe recommended. How can I be sure this is a safe program and not someone who tries to hack all my passwords?

  19. I don’t recall if it was a link to this article or some other place. But that article said that phrases with spaces make cracking even more difficult.

    For example:
    my name is bob

    with spaces, is even harder to crack than inserting symbols between the words. Opinion?

    Agree, if the system you’re using the password for accepts spaces. Many do not. But adding even one character of length is just as good, if not better.

    Leo
    29-Jun-2011

  20. Good advice. My own passwords are over 22 letters long [ calculate that time to crack hee hee ] and I always use the complete phrase of something I NEVER forget. That favorite opening line from your favorite book EG ‘itwasthebestoftimesandtheworstoftimes’
    Just an example. Notice no spaces and no funny characters – not needed because a cracker is using an engine that must go through upper AND lower case as well as numbers 1 to 0 AND funny characters like = or *. The above example is 37 letters long !!! No way hose is a cracker going to stumble on that password this side of eternity.

  21. Looks as though my obsession with long and crazy passwords has already paid off. My “standard” password is 15 characters long and is a little modified for each site; it contains lower and upper case letters, numbers, and special characters. Also I have that nifty little code generator avavilable for free that works on both eBay and PayPal. How do they go about getting around that step as hackers? But my pride and joy password is 25 characters with 16 special characters. No, wait, for Word documents, I use a 33 character password with 24 special characters. Yes, I am crazy.

  22. Thank you. I thought my 8 letters with numbers was safe – I’ll be changing most of my passwords now.

  23. Always having a complicated password for every different online account is almost impossible. Just in email I have several accounts that I use regularly and then you add in all the other accounts: online-banking, credit cards, social media, etc… and then to have different passwords for all of them is a pain, but necessary. However one of the first things I look for when setting up an account is if they offer 2FA (two-factor authentication) where I can telesign into my account. This gives me the confidence that my account won’t get hacked and my personal information isn’t vulnerable. Personally I think if you are just relying on your passwords (complicated or not) to protect your info you will pay the price sooner or later.

  24. In the above article you have said and I quote “62 possible characters (26 lower case, 26 upper case, 10 digits), in each of the eight positions gives us 221,919,451,578,0902, or over 221 trillion, combinations.3” Looking at mathematically, if you have more characters, the resulting number will be still larger and more difficult to hack or conversely you can get away with shorter password. Please let me know how through Email I can send my details of the solution for finding out from expert like you if it is feasible or not.
    Thanks.

  25. That’s Jon Snow, but I’m sure you did that to obfuscate the password even more 🙂
    There is one way to test if the website is handling passwords well. Submit a lost password request. If they send you your password, as Leo mentioned in the first footnote, you know they’re handling it wrong. However, if they send you a password reset link, you still can’t be 100% sure they are doing it right, but at least you can determine the really bad ones.

  26. Some remarks:

    1. Dictionary attacks are the reason why general-purpose hash functions are not very good for hashing passwords. Instead of SHA-256, you might want to use something really slow, like bcrypt.

    2. If a service doesn’t accept spaces, there’s a trivial fix: instead of spaces, use some other characters, like hyphens. This might even be slightly better because the space key has a distinctive sound, so someone listening to you typing your password could, theoretically, take note of that.

    3. I’m surprised you didn’t mention password managers at all. They are pretty much the only way to have a unique password for every website.

    4. An excellent tool for generating secure yet memorable passphrases is Diceware (http://diceware.com). Basically, you have a word list of 7,776 short words, and you pick each word by rolling five dice. This way, your passphrase is truly random, so its strength is easier to determine than if you choose a slightly obfuscated, but still sensible phrase from a book or a movie or whatever.

  27. Great advice as always ……..really appreciated. My latest way of dealing with passwords is – as you suggest – to create a pass-phrase. To further secure this, I have been creating a long phrase but spelling the main words phonetically – my own version so to speak. To finish off I put numerals. As commented, I have hit the problem of being forced not to have spaces and being limited to number of characters but can easily get around this.

  28. There’s another extremely important element to all of this, and that’s your ability to remember the password without writing it down!!

    Too often I hear of people who tell me they have “impressive” 18 character long passwords, then I ask them how they remember them, and they say they don’t, they simply write they down and stick them to the back of their monitors!

    I think that if you need to write down a password then it’s lost most of it’s benefits. It takes a fraction of a second for someone to come across this piece of paper and take a photo with a smartphone, then months later they could use the passwords and you would have no idea who was doing it.

    For me the above tips are very useful, for most people a password of 10-12 characters long which is a mixture of all possible characters but also very memorable is the best solution. Additionally, as others have said, have a 4 digit part of your password and then for different sites change that.

    E.g.

    jOHn_2001_$AVE – for Apple
    jOHn_4001_$AVE – for Microsoft
    jOHn_7001_$AVE – for Google

  29. I use a 6 digit name, 2 digit number, 3 special characters, a 6 digit name and a 2 digit number for a total of 19. Easy to remember. For other PWs I use the 4 digit of one of my aunt’s address mixed into the PW.

  30. I use the postal addresses of my childhood school friends. So I can, for example, write down “Bradley Hughes” as my aid memoir – or even have a picture of that individual to help me remember – so the password for something may actually be “16 Acacia Avenue” (including spaces) but I have a thumbnail of Bradley Hughes referenced elsewhere to help me remember.

    Oh – and by the way Bradley Hughes and 16 Acacia Avenue are fictitious – (just in case ‘the feds’ or the dark side are watching)

    p

  31. To really secure their user’s passwords/passphrases, companies should also salt their hashes — that is, they add a bit of random data to the hash. This way, the hash CAN’T match the passphrase, unless the salt is removed first! Unfortunately, not all companies salt their hashes, and you have NO way of knowing which ones do or don’t.

    I also want to reiterate my recommendation for the book “Perfect Passwords,” which I mentioned in an earlier reply. Even though it is over thirteen years old, its author is so knowledgeable, and so forward-thinking, that the book easily remains relevant even to this day!

    The “Perfect Passphrase” is HARD. It has eight (8) parts:

    1. lowercase letters.
    2. UPPERCASE LETTERS.
    3. Numbers (1,2,3, etc).
    4. Punctuation (.,”;:? etc).
    5. Symbols (&%#@$ etc).
    6. Spaces (” “).
    7. Respelling (“reaspehleeng”) — NEVER use a word that can be found in a dictionary!
    8. Length — at LEAST 16 characters long, and the longer, the better.

    Hope this helps! 🙂

  32. Leo, you wrote:

    “If they can respond to an “I forgot my password” request with your i>actual, current password,
    then they have stored your password.”

    It has just occurred to me that there is a way, at least, to test this! When you first sign up for a service, DON’T enter you real password (yet). Enter a test passphrase (your chosen passphrase, minus a few characters at the end, will do for this purpose) and then “forget” it — that is, click the “I Forgot My Password!” link, and see what you get back. If you get back “test,” abandon that site immediately, and dob’t ever look back!

    On the other hand, if what you get back is, “Click here to enter a new oassword

  33. Never mind that last repky, I belatedly see that someone else made the same suggestion.

    [ Hey, Leo, how about adding “Edit/Delete Post” links so we can correct our mustakes?! ]

    • I would if I could, but I’m afraid the software that I use doesn’t support it, except for logged in accounts, and even then possibly only for administrators.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.