Most companies and universities have password policies in place that enforce complexity requirements. But do you have a good policy you use for your personal accounts? You should create good strong passwords for any accounts you access – your email, eBay, online merchants, your personal finance file on your system, etc.
When creating your password, it should:
- Be at least 8 characters long, but be easy to remember (more on this in a second).
- Contain at least one capital letter, a digit, and a special character along with the lower case letters. Some web sites may not allow special characters (shame on them!!), so be creative with more digits (preferably) or capital letters.
- Not be built from a dictionary word or any name – including character substitution!! For example, password is obviously a BAD password, but P@ssw0rd is also a bad password. Hacking utilities would have this figured out in very little time.
- Not contain sequences, patterns, or repeated characters, for example 123, 111, qwerty, etc.
So I mentioned making your password at least 8 characters. I tend to like to make them 8 characters exactly. Perhaps this is because of my past experience using UNIX systems, where the first 8 characters only were significant (standard UNIX would ignore anything after 8 characters), but I also think 8 characters would be easier for most to remember. What you don’t want is to have to write the password down; it should be something you can commit to memory.
So given the rules, how to actually create a good password? Think of a phrase seven to eight words long, and then use the beginning of each word to make into your password, mixing up the capitals, symbols, and digits. If you use seven words, you can use punctuation as the last character. If you can easily remember a longer phrase and the password you create from it, certainly go for it. Some examples (don’t use these for yourself, though):
Phrase: I found the Science Attic really useful today
Phrase: My dog Fido is the best dog!
Phrase: Firefox is a great internet browser to use
So you get the idea. And you can get really creative with this. 🙂 So have a little fun with it, while keeping your accounts that much more secure.
3 replies on “Creating Good Passwords”
Windows stores passwords less than 14 characters long in an easy to hack way with things like a USB Switchblade. We force 15 character minimums where I work.
I used to stay between 6 and 8 myself because of old networking things (like DOS and LAN Manager) that choked on anything more than 8. Yes, that was a LONG time ago, but habits die hard.
We use actual phrases for passwords and that makes it kind of cool to remember when your password is something like “Why do I n33d a long password?”
Hi Scott and thanks for stopping by. You raise a good point that tripped something in my brain from a long while back when I used to be more involved in the Windows end of things. I’m not certain of Vista, but if I remember right, Windows NT/2000/XP and Server 2003 would store passwords in both an NT hash and an LM (LAN Manager) hash if the password was under 14 or 15 characters. The LM hash was used for backward compatibility with Windows 95/98 and I think older Mac clients (OS 9 and before??). The LM hash was a weaker hash, but could be disabled through Group Policy or perhaps a registry edit.
As I mentioned though, my info could be a bit dated or inaccurate. Now you’ve got my curiosity going though 🙂 , so when I have a bit of time, I’ll probably research it further.
[…] is originally a post I did back in 2008, which I have edited to tweak some of my original recommendations. This has […]