Tango Logo

The Security Tango℠

Passwords

Click here to see the 100,000 most-hacked passwords (be patient...)

A guide to good passwords

There are a few things that you need to do to make strong, secure, hard to break passwords. Following these steps won't guarantee you can't be hacked, but they'll go a long way toward protecting you.

Longer Passwords are Better

Passwords should be a minimum of 17 characters (Yes, that's 17 characters, but relax! We'll make it easy shortly!). The longer, the better. Studies have shown that a 7-character password that uses upper and lower case characters, numbers, and punctuation can be cracked in seven tenths of a second. A password with 17 characters that uses upper and lower case characters, numbers, and punctuation can resist cracking for up to 13.44 billion centuries! Why make it easy for the bad guys?

But length is only the beginning.

Make Your Password Complex

That "13.44 billion centuries" above is only valid if you use a combination of upper case characters, lower case characters, numbers, and punctuation. All of them have to be present. Without any of that, a 17-character password can be cracked in a mere 3.75 centuries (well... okay... but why make it easy for them?).

Don't Worry About Changing Your Password Regularly

Told you we'd start making it easy! We used to recommend that you should change your password every three months or so. The longer each one is out there, the more time a hacker has to bang away at it and crack it. But if your password is 17 or more characters, you're pretty safe keeping it for a while. Safe, that is, as long as you follow the next recommendation:

Passwords Should Be Unique

Don't use the same password in multiple places. If one of them gets cracked (or, more likely, compromised by an insider or virus), the resistance of the others goes from "13.44 billion centuries" to "as long as it takes to type it in."

Don't Share Passwords

Sharing passwords is like sharing gum. Not savory. If just one other person knows your password, that password is now out of your control. Of course, since you shared your password, your control wasn't very good to begin with!

How Much Do You Trust This Computer?

Think twice before typing your passwords on someone else's computer, particularly in public places like libraries or cyber cafes. How sure are you that no one put a program on there to record everybody's keystrokes so they can steal your passwords? If you absolutely must type your password on a computer you don't trust, change that password at the first opportunity (on a computer you know is secure!).

And never, ever type your eBay, PayPal or bank passwords on someone else's computer!

Making Good Passwords

Okay, now that we have all these rules, how do we make good passwords?

To start with, don't use any real words or proper names. Expecially names that include your favorite sports figures, cars, pets, nicknames, significant others, insignificant others, etc. In multiple languages. Way too easy for anyone who knows you to guess!

The best passwords are completely random, but, of course, we humans have a tough time memorizing completely random sequences. So here's a pseudo-random alternative:

Take a favorite movie quote, or a phrase from a song or poem that's at least eight words long:

Hey, where do these stairs go? They go up!

Type it in.

And there you have it - a 42-character password that looks totally random to a computer, but is easy for you to remember (assuming you're a fan of Ghostbusters). And it will take 3.49 billion trillion trillion trillion trillion centuries to guess. That should be enough...

Some systems don't like punctuation or capital letters or spaces - in that case, just leave 'em out. heywheredothesestairsgotheygoup would still take 2.42 hundred million trillion centuries to crack.

Okay, admittedly, this works better if you can somehow associate the phrase with the site. Like, for example, any couplet from a Sylvia Plath poem with your bank. Or any quote from a Saw movie with your brokerage. But you can even keep a list of the sites and the sources of the quotes handy. For example:

  • eBay - Don't Stop Believin'
  • PayPal - My Favorite Year
  • eTrade - Stopping By Woods On A Snowy Evening
As long as you don't use the most obvious quotes from each of these sources, guessing your passwords will be very, very difficult.

Still, hide the list!

Please Help

Is the Tango useful to you?
Please help keep this site alive!

Fighting the good fight for
20 yrs, 6 mos & 27 days.

Where's Nick's Q&A?

Newspapers die
Information doesn't

Subscribe to Nick's Q&A today!

Tango Merch!

Now you can get your own Security Tango shirts:

Clean your computer - defend against viruses & malware!
Antivirus & antimalware software for Windows, Macintosh, Android, and Linux!
This site © 2004-2024 Nick Francesco