Aim for the best.
The password I recall the most vividly was used to access a status terminal in the computer center at school. I don’t recall the account ID, but after over 40 years I can still remember the password.
iforgot
A very memorable, horrible password.
It was appropriate at the time because it was a public-access terminal — anyone could sign in — and for some reason, a password of some sort was required. They made it simple and even had it posted on the terminal itself.
There was zero security.
You want something better. There are a number of techniques for generating strong passwords. I’ll review some from best to worst.
Become a Patron of Ask Leo! and go ad-free!
Your best approach to passwords
- Long with random characters: SBH2F%b^xDCUQf5frqBR
- A pass phrase: long with multiple random words: drying karen ruth afoot sauce
- Medium-length words with padding: *-*-*breakfast pancakes*-*-*
- Medium-length words with random characters: l)ws7.BOZ1
- Shorter with padding: *4*iforgot*4*
- Shorter with random characters: (8dQ,]a
Regardless, use different passwords on every site and use a password vault to track them all.
My criteria
These are my personal opinions and are based on the last 20 years of helping people with their passwords.
My criteria are simple:
- Passwords must be able to resist automated brute-force “try every password” attacks.
- Passwords must be very unguessable.
- Passwords must be extremely unlikely to have been encountered anywhere else.
In some cases, but not all, it would also be nice if they were easy to memorize.
I’m ruling out some of the more esoteric approaches, even though they might be secure, because it’s important these techniques be practical as well as secure.
My assumptions
I strongly recommend using two-factor authentication, but the ranking below assumes you’re not. While adding two-factor doesn’t change my ranking, in some ways it minimizes the differences in security between approaches.
I assume you’re not going to use the same password on multiple sites, period. That’s one of the most dangerous security practices regardless of the strength of your passwords.
I assume you’re using a password vault of some sort. While being able to remember some passwords might be nice, it’s just not practical when using strong, long, passwords that are different for every account. This is one of the reasons that I and so many others strongly recommend using password vaults: they enable the use of strong passwords on different sites without taxing your memory or your patience.
#1: Long random characters
Password: SBH2F%b^xDCUQf5frqBR
The strongest approach is the one you may be most afraid of: long strings of completely random characters. The example above is a 20-character password generated by a password manager. There are many other tools that generate passwords for you, and many also let you control what kinds of characters are used.
Since not all special characters can be used on all systems, my own default configuration is to use 20-character passwords without special characters. At 20 characters, that’s more than sufficiently strong. If a special character is required by the site, then I’ll add one manually.
Using 20 random-character passwords is considered so strong that the length doesn’t even appear on many “how long would it take to crack” password reports. The last report I looked at topped out at 14 — and that took 968 centuries to crack using a large distributed system (perhaps a very large botnet). My recommendation of 20-character passwords is future-proof, and possible because I use a password vault.
#2: The passphrase: long with multiple random words
Password: drying karen ruth afoot sauce
These are also known as pass phrases.
We all remember “correct horse battery staple” from the XKCD cartoon. That shows you just how memorable words can be. If you can build a picture (as the cartoon describes) of some nonsense scenario involving randomly selected words, all the better to help you recall it without any aid.
Our example — a 29-character password created by five completely random words — is great. A five-random-word password would take a large distributed system of many computers 14 years to crack. That seems plenty secure. (Include spaces if you’re so inclined and the service supports it. If not, running them all together is also a fine approach: “dryingkarenruthafootsauce”, or perhaps capitalize instead: “DryingKarenRuthAfootSauce”.)
This is a good solution for passwords you must remember — perhaps the password to your password vault itself.1
I use a slightly less secure variation described below.
#2a: Long with multi-word mangled phrases
Password: Obi-Wan you’re my only soap
That’s memorable, and at 27 characters, it’s plenty long to defeat brute force attacks. It’s a slight mangling of a phrase that’s well known in pop culture.
What makes it secure against guessing is the mangling: it starts two words into the phrase, drops one word, and includes a word not in the original. If that doesn’t seem mangled enough for you (though I believe it is), you can certainly do more to obfuscate the actual words used while maintaining the memorableness of the phrase. Just remember how you mangle it.
I use this technique for passwords I need to remember. I have a specific phrase and the techniques I used to mangle it memorized.
There are many variations of this technique. For example, using the first letter of each apparently random word to spell out a memorable keyword. Remembering kitten might be the doorway to help you remember your password as “kitten incite Tuesday tornado else nothing”.
#3: Medium-length words with padding
Password: *-*-*breakfast pancakes*-*-*
Length trumps just about everything when creating a password resistant to brute-force cracking. So a combination of random or semi-random words with some standard padding can end up being quite secure.
The example here is a password made up of two common words with padding added before and after. In this case, the padding is a pattern. Adding an easily recalled padding pattern to a password or passphrase is a useful technique.
At 28 characters, this password is not going to be brute-forced, and while “breakfast pancakes” might be a word pattern used in some password guessers, adding a pattern of your own creation thwarts that as well.
#4: Medium-length random characters
Password: l)ws7.BOZ1
This is nothing more than our #1 technique but shorter: 10 characters instead of 20. This technique creates a “good” password that would take nine years to crack using a multi-computer attack. You can, of course, adjust the length as you see fit, but for a truly random selection, I would not go below 10 characters.
As a variation that’s easier to type, a 12-character password using only upper and lower case alphanumeric characters (example: “qqkCapnm5Jx7”) would take 24 years to crack.
This approach is why my current recommendation for basic passwords is 12 random characters or longer, giving you the flexibility to make it easy to type by eliminating special characters if you want.
#5: Shorter with padding
Password: *4*iforgot*4*
I keep coming back to length and padding as great ways to make those old passwords you remember so easily much more secure. In this example, I’ve taken that memorable but horrible password I used 40 years ago and made it significantly more secure by adding a simple pattern of my own creation before and after. It’s now a good, secure, 13-character password.
#6: Shorter random characters
Password: (8dQ,]qa
If you must use a password less than 12 characters in length — as, unbelievably, some older systems still require — then your only secure option is to use passwords of completely random characters, including letters, numbers, upper and lower case, and special characters.
This is your “least bad” option under those constraints.
Do this
I will continue to beat the drum for using a password manager for two very important reasons:
- It makes using the most secure techniques for password generation easy.
- It makes using a different password on every site easy.
Add two-factor authentication for additional security wherever possible, but regardless, use the strongest passwords you possibly can.
Want more help keeping yourself safe and using your technology with less hesitation? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: The UK’s National Cyber Security Centre recently suggested three random words as an approach for memorable passwords.
Unless specified otherwise, our example passwords were generated using passwordcreator.org. That site also includes tables calculating how long it would take to brute-force crack different passwords under different conditions.
You mentioned that you have LastPass generate passwords without special characters but the example you cave SBH2F%b^xDCUQf5frqBR contains the special characters % and ^.
From my experience, I haven’t seen many sites that disallow special characters, if any, and many sites which require at least one special character plus a number and mixed case letters. I know you can just add a special character when required, but it would be easier to remove the special characters in the rare case you encounter a website which disallows them.
I take the opposite approach — alphanumeric only unless special characters are needed. I feel more than comfortable doing so because my passwords are excessively long (20). (Among other reasons, it makes double-click to select the password work, which special characters can sometimes interfere with.)
One bank I use to use, assigned a six character numeric password to log in, but they also required a onetime password from a printed list they sent out by post. At first, you could use any number from the list but as time went on, they began to up their security by giving you a sequence number and you had to give them the corresponding TAN (Transaction Account Number – a one time password). Later, they upgraded to an SMS text TAN, and finally, they switched to an app. I’ll take that second factor over a long strong random password. The strong password my protect against a brute force attack, but there are other ways to capture it like a keylogger or shoulder surfing with a camera or a photographic memory.
Since writing that comment, my bank has upgraded their second factor twice. First, they switched to SMS Text, but I believe EU law banned banks from using SMS. Now they have an app that generates a one-time TAN (Transaction Authentication Number) or you can click on a link in the app to allow the transaction.
In short… come up with a decent password with some padding for use as a master password for your password manager (NOTE: in all likelihood, as long as your master password is not too weak your probably good enough a large portion of the time since it’s not likely a person would have to worry about someone bruteforcing their password managers database file etc) which should not be difficult to remember, and then let the password manager handle all of the passwords for random sites you got.
longer answer/more info…
for those who want to generate guaranteed secure passphrases using dice… “eff dot org/dice” using “EFF’s Long Wordlist” and six words is a recommended minimum. basically with five dice and with each roll of those five dice will give you one word from that text file (a single die will work but it’s going to take much longer (i.e. thirty single dice rolls vs six rolls with five dice at once. I am assuming a six word passphrase here)) reading from left to right (or right to left) as they fall onto the floor/table in front of you. this is guaranteed secure as long as your using actual dice to generate the passwords and not picking what words you personally like.
this is a bit overkill, but is guaranteed secure since it also uses dice… for the more paranoid types that don’t trust the random generation of their password manager, one can use three dice and with each roll of those three dice will give you one character on a keyboard. so to get a 20-character randomly generated password you would have to roll those three dice a minimum of 20 times (I say minimum because it’s possible to get a ‘blank’, so then you got to roll those dice again). to use this method go to… “theworld dot com/~reinhold/dicewarefaq.html” and scroll down to “How do I use dice to create random character strings?”. one last thing… I suggest using at least one lower case letter, one upper case letter, a number, a symbol in the passwords you generate. but in my experience that usually happens if you roll passwords of sufficient length, say 20 characters (or so) or longer. but since it’s random this won’t always be the case. a example 20-character password I generated using actual dice with this method is… ^:!G|e^r>2×3$`-yd9z4
but randomly generated passwords (your Option #1) is not always better than passphrases (your Option #2) provided the passphrase length is sufficient and your selecting truly random words using actual dice to generate those words (i.e. Diceware as mentioned above).
for example… a 20-character password generated using all keys on a standard keyboard (minus ‘spacebar’) is pretty much the same security to a 10-word Diceware passphrase. 129.2 (10-word Diceware passphrase) vs 131.1 (20-character random password) bits of entropy. for measure… a six word Diceware passphrase (which I mentioned above as a recommended minimum length) is 77.5 bits of entropy which is similar to a 12-character randomly generated password (i.e. 78.7bits of entropy).
I would not worry too much on getting a super secure ‘master password’ to ones password manager. I say this because it’s probably not likely someone would ever attempt to brute force that password database file, especially if your not in a situation where physical theft would be a problem, as ones computer is probably more likely to get compromised with malware/keylogger etc and having passwords compromised that way vs someone stealing your password managers database file and trying to brute force it.
plus, even if someone did steal your password managers database file, like say if someone physically stole your laptop for example (or even if someone steals the password database file from your computer), I can’t imagine most of those types would even bother to get into your password managers database file (if they do try, I suspect it won’t be for long) which is why I figure a decent password paired with some padding, so the password length is a bit longer (call it somewhere in the ball park of 30-characters) will almost surely be enough to keep them from getting access to your passwords stored in the password manager even if they did attempt some level of brute force since the common person likely won’t be worth much of their time especially if they can’t crack it in a short period of time.
You say “guaranteed secure” password? Using a finite and published list of dictionary words?
Who is doing the guaranteeing?
If you went to eff.org/dice as he suggested, you’d have seen the following statement. Two to the 77th power is a pretty solid “guarantee.”
“This passphrase is one of 221073919720733357899776 (or about 2⁷⁷) alternatives that could have been chosen by this method. With so many possibilities, this passphrase will be very hard to guess by brute force.”
This is a nice list of methods, but since you recommend using a password manager anyway, doesn’t it negate the need for it ? Apart from the master password for that password manager, of course.
You could as well set your program to generate, and apply, 20-character random passwords, and call it a day. Or 30-character passwords, or more. I have one email account with a 100-character password, and non-Latin characters, just because the service allows it.
Indeed, that’s pretty much what I do. (20 random, let LastPass deal with it).
But not everyone wants the same solution, hence I present a pallete of options.
Does it really take 968 centuries to guess a twenty character password? I believe the proper phrasing would be “up to 968 centuries”. Isn’t it remotely possible that the password could be guessed on the very first try, or equally possible on any of the subsequent tries? 968 centuries assumes that the password is guessed on the absolute last possible arrangement of the characters.
I believe (though have not confirmed) that 968 centuries is the average. So somewhere between instant and 1936 centuries, with what I would assume to be a flat distribution over that time. Anything “soon” is so statistically unlikely that it’s effectively close enough to zero chance.
Agreed. But, it still could happen! That is statistics for you.
My master passphrase for my Lastpass vault is a line, punctuation and all, from an obscure poem my Dad liked and used to recite to us kids. After many repetitions I had it burned into my memory. I did alter a couple words, however, just in case. It’s not like my password vault contains the key to Fort Knox, anyway. A long Lastpass generated password coupled with 2FA where available works for me! Incidentally I use Authy where I can, which is nice because it syncs across multiple devices. I’ve toyed with other password vaults over the years (Roboform, Nordpass and a few others) but keep coming back to Lastpass as suiting my requirements the best.
I use KeePass for my password vault, just to keep track of all my different accounts and passwords. But my technique for picking passwords is a hybrid of passphrases and randomization — using a method that makes it relatively easy for me to remember (in most cases) even without a password manager. Here’s what I do.
I start with a phrase that’s memorable (at least to me). Then I use the first letter of each word (including capitalization), along with whatever numbers are included in full. So, for example, I might select this phrase: “I liked hiking the Green Mountains of Vermont back in 2017.” That results in the password: “IlhtGMoVbi2017”.
That’s a 14-character password with both upper and lower case characters plus numbers, which I can be confident won’t appear in any dictionary. And if I plug that password into the password checker at Security.org, they say it would take about 9 million years to crack it. Yet it’s something that I can remember how to type even without opening up my KeePass database. Combine that with 2-factor authentication, and I don’t think anyone’s going to successfully hack into my accounts.
I like a similar method to the one Tom uses. You can insert a couple of letters from the website so that you have a unique password for each website and you can easily remember them all. So I would change “I liked hiking the Green Mountains of Vermont back in 2017.” to “I hiked the Green Mountains of Vermont in 2017go.” the “go” would be for Google. My password would be “IhtGMoVi2017go.” I changed words in the phrase to keep the password length at 14 characters.
For askleo.com, I would change the “go” to “as” so my new unique pass phrase would be “I hiked the Green Mountains of Vermont in 2017as.” And my new password would be “IhtGMoVi2017go.” I might have another company with the same two letters, but it wouldn’t make much difference if I have two companies with the same password as long as most of them have unique and easily remembered passwords.
But what about passwords you have to type in on a phone keyboard? Special characters key board is 3 keyboards away. I admit that I am not good at typing on a phone. Long passwords take forever to key in and some apps won’t let you see what you are typing.
I use LastPass on my phone and it takes care of everything. My LastPass password doesn’t have any special characters.
I have a very good memory for numbers – I use my last 4 license plate numbers including one from 30 years ago when I lived in another state. I use a mix of upper and lower case letters and connect the plate number with math operators.
I could be mistaken, Leo, but I seem to distinctly recall reading that rainbow tables exist for all possible passwords of 16 or fewer characters, putting the security of passwords 12 characters or fewer in length in serious doubt.
Twenty characters (or more!) is probably best for the time being.
The technique of stringing together a set of random words reminds me of what the (alas! now defunct) CompuServe Information Service did: they required that passwords be two unrelated words, separated by a random special character. In today’s terms, this wouldn’t be especially secure, but it was adequate “back then,” and making up new ones for changing every few months was actually a lot of fun. My favorite CIS password by far was, “Sanhedrin%Forklift” (with “Finial#Aglet” running a very close second).
Try to top THOSE for pairs of unrelated words! :o
Am I wrong in this thinking …
Use the “I forgot my password” link on ALL sites. You need to only remember your email password and maybe a few of your more frequent sites. We do that anyway, right? You’ll never need a password vault or a written list ever again. Obviously, the new password you enter can be as long as they’ll let it. Just roll your hands around on the keyboard until you have 50 characters or more.
Don’t get me wrong, it’s slightly more time consuming but to never have to worry about your vault being hacked seems worth the time to me. I’ve never committed to this because I fear losing my free email account. If I were to commit, I’d go the route of a purchased email server (for support).
You certainly could go that way, but it seems terribly risky. You CAN NOT SIGN IN TO ANY ACCOUNT if you don’t have access to your email, for any reason. Period. Obviously it could be your email being hacked, but it could be any number of other factors from loss to annoyance. Remember also, email is not guaranteed to be instant. You could find yourself waiting minutes, or even HOURS, for that password reset email to arrive.
Set a password. Use a vault. It’s still less risky than any other pragmatic alternative people have proposed.
A password vault is very safe. Buuuut If you’re like me the instructions to using the thing are damn near Greek. No Greek interpreter available in my circle. So I keep going back, I will figure it out a some point, but it is daunting. Your information above will help while I work with the instructions for the vault.
Best password (strongest) is when you type in English (your name for example) while your keyboard language setting is set to another foreign language e.g Urdu. This is true when using a PC keyboard.
The password mania is silly. Most compromised accounts come from hackers getting into business databases that are not sufficiently secured. In one hack they can get thousands of passwords. If you are an ordinary citizen no one is going to spend time trying to crack your password for Facebook.
And yet for some reason I hear about it happening all the time. Good password hygiene remains critical.
It might be true that “no one is going to spend time trying to crack your password for Facebook” but once they have the passwords, they are often sent to botnets, a network of computers infected with malware that scours the web looking to hack accounts. It’s done by automation.
Leo – Speaking of passwords… any comment on “Q-day”? I’m absolutely terrified if that day ever comes, but I’m not going to lose any sleep over it right now.
Like you I’ll worry about it when it’s real.
Q-day is what 2FA is for :)
You could always use the method that Cloudflare uses. A really neat method and great for their publicity: https://www.cloudflare.com/learning/ssl/lava-lamp-encryption/
While that is VERY cool, it actually doesn’t apply to how you and I create and use passwords at all.
Response to Mark Jacobs “…but once they have the passwords”. In that case the complexity, randomness or length of the password is not very important (but I’m not saying to give up on making strong passwords).
And to Wilcox: You don’t need Q-day to hack 2FA. Hackers are very clever. It’s their job.
Finally a personal experience with “passwordless Microsoft”: I had a Microsoft account that I hadn’t logged into for years. So, when I tried to log into it recently it came back and said my account is locked. OK, so I pressed the button for forgot password. It presented a screen for me to enter an email address. I entered an email that I’m 100% sure that Microsoft does not have – at least not associated with this locked account. So, Microsoft sent me a code via that (new) email and I got into my account. Cool.
Are you sure you didn’t associate that account with your MS account? I’m sure you did, because if what you said were true, we’d be getting hundreds of questions daily from people whose MS accounts were hacked.
Oh I’ll worry about it if/when it gets here. A few of my computer trade journals say it will likely be very easy for hackers to raise mayhem with many utilities, communications, energy, transportation… anything that’s connected to the internet and has a password. That is unless something better comes along regarding password authentication.
That’s why 2FA is essential.
I feel that one of the policies you share is too restrictive: the prohibition against using the same password for more than one web site. Although that’s a really important policy for important sites, more trivial sites also need passwords. I am less careful about passwords that I use on entertainment sites that feature gaming, video, or music.
Even sites people consider to be trivial can be compromised, and in doing so, can lead to much larger problems particularly when the password is reused, even with other “unimportant” sites.
As this article points out, with AI, even medium length passwords are not good enough any longer.
https://www.pcworld.com/article/1782671/ai-can-crack-most-passwords-faster-than-you-can-read-this-article.html