Aim for the best.
My most memorable password accessed a status terminal in the computer center at school. I don’t recall the account ID, but after 40+ years I can still remember that the password was iforgot.
A very memorable and horrible password.
It was appropriate at the time because it was a public-access terminal — anyone could sign in — and for some reason, a password of some sort was required. They made it simple and even had it posted on the terminal itself.
There was zero security.
You want something better. There are a number of techniques to generating strong passwords. I’ll review some, from best to worst.
Become a Patron of Ask Leo! and go ad-free!
Password approaches, from best to worst, with examples:
- Long with random characters: SBH2F%b^xDCUQf5frqBR
- Long with multiple random words: drying karen ruth afoot sauce
- Medium-length words with padding: *-*-*breakfast pancakes*-*-*
- Medium-length words with random characters: l)ws7.BOZ1
- Shorter with padding: *4*iforgot*4*
- Shorter with random characters: (8dQ,]a
Regardless, use different passwords on every site and use a password vault to track them all.
These are my personal opinions and are based on the last 18+ years of helping people with their passwords.
My criteria are simple:
- Passwords must be able to resist automated brute-force “try every password” attacks.
- Passwords must be very unguessable.
- Passwords must be extremely unlikely to have been encountered anywhere else.
In some cases, it would also be nice if they were easy to memorize.
I’m ruling out some of the more esoteric approaches, even though they might be secure, because it’s important these techniques be practical as well as secure.
I strongly recommend using two-factor authentication, but the ranking below assumes you’re not. While adding two-factor doesn’t change my ranking, in some ways it minimizes the differences in security between approaches.
I assume you’re not going to use the same password on multiple sites, period. That’s one of the most dangerous security practices, regardless of the strength of your passwords.
I assume you’re using a password vault of some sort. While being able to remember some passwords might be nice, it’s just not practical when using strong, long, passwords that are different for every account. This is one of the reasons that I and so many others strongly recommend using password vaults: they enable the use of strong passwords on different sites without taxing your memory or your patience.
#1: Long random characters
The strongest approach is the one you may be most afraid of: long strings of completely random characters. The example above is a 20-character password generated by LastPass. There are many other tools that generate passwords for you, and many also let you control what kinds of characters are used.
Since not all special characters can be used on all systems, my own default configuration is to use 20-character passwords without special characters. At 20 characters, that’s more than sufficiently strong.
Using 20 random-character passwords is considered so strong that the length doesn’t even appear on many “how long would it take to crack” password reports. The last report I looked at topped out at 14 — and that took 968 centuries to crack using a large distributed system (perhaps a very large botnet). My recommendation of 20-character passwords is future-proof, and possible because I use a password vault.
#2: Long with multiple random words
Password: drying karen ruth afoot sauce
We all remember “correct horse battery staple” from the XKCD cartoon. That shows you just how memorable words can be. If you can build a picture (as the cartoon describes) of some nonsense scenario involving randomly selected words, all the better to help you recall it without any aid.
Our example — a 29-character password created by five completely random words — is great. A five-random-word password would take a large distributed system of many computers 14 years to crack. That seems plenty secure. (Include spaces if you’re so inclined and the service supports it. If not running them all together is also a fine approach: “dryingkarenruthafootsauce”, or perhaps capitalize instead: “DryingKarenRuthAfootSauce”.)
This is a good solution for passwords you must remember — perhaps the password to your password vault itself.
I use a slightly less secure variation described below.
#2a: Long with multi-word mangled phrases
Password: Obi-Wan you’re my only soap
What makes it secure against guessing is the mangling: it starts two words into the phrase, drops one word, and includes a word not in the original. If that doesn’t seem mangled enough for you (though I believe it is), you can certainly do more to obfuscate the actual words used while maintaining the memorableness of the phrase. Just remember how you mangle it.
I use this technique for passwords I need to remember. I have a specific phrase and the techniques I used to mangle it memorized.
There are many variations of this technique. For example, using the first letter of each apparently random word to spell out a memorable keyword. Remembering kitten might be the doorway to help you remember your password as “kitten incite Tuesday tornado else nothing”.
#3: Medium-length words with padding
Password: *-*-*breakfast pancakes*-*-*
Length trumps just about everything when creating a password resistant to brute-force cracking. So a combination of random or semi-random words with some standard padding can end up being quite secure.
The example here is a password made up of two common words with padding added before and after. In this case, the padding is a pattern. Adding an easily recalled padding pattern to a password or passphrase is a useful technique.
At 28 characters, this password is not going to be brute-forced, and while “breakfast pancakes” might be a word pattern used in some password guessers, adding a pattern of your own creation thwarts that as well.
#4: Medium-length random characters
This is nothing more than our #1 technique, but shorter: 10 characters instead of 20. This technique creates a “good” password that would take nine years to crack using a multi-computer attack. You can, of course, adjust the length as you see fit, but for a truly random selection, I would not go below 10 characters.
As a variation that’s easier to type, a 12-character password using only upper and lower case alphanumeric characters (example: “qqkCapnm5Jx7”) would take 24 years to crack.
This approach is why my current recommendation for basic passwords is 12 random characters or longer, giving you the flexibility to make it easy to type by eliminating special characters if you want.
#5: Shorter with padding
I keep coming back to length and padding as great ways to make those old passwords you remember so easily much more secure. In this example, I’ve taken that memorable but horrible password I used 40 years ago and made it significantly more secure by adding a simple pattern of my own creation before and after. It’s now a good, secure, 13-character password.
#6: Shorter random characters
If you must use a password less than 12 characters in length — as, unbelievably, some older systems still require — then your only secure option is to use passwords of completely random characters, including letters, numbers, upper and lower case, and special characters.
This is your “least bad” option under those constraints.
Making it easier
I will continue to beat the drum for using a password manager for two very important reasons:
- It makes using the most secure techniques for password generation easy.
- It makes using a different password on every site easy.
Add two-factor authentication for additional security wherever possible, but regardless, use the strongest passwords you possibly can.
Footnotes & References
Unless specified otherwise, our example passwords were generated using passwordcreator.org. That site also includes tables calculating how long it would take to brute-force crack different passwords under different conditions.