Because I have always been so fascinated with passwords, I always like to hear different tips people have for creating strong passwords. However, I have to admit that most of the tips I run across are actually kind of lame and really are not very secure. Unfortunately, some of these tips are quite popular and get passed around way too much. In fact, I rarely see any advice besides these I have listed.

Simple Substitution

Tip: Take a word and replace certain letters with numbers symbols. For example, change apple to @ppl3.

While this tip was once great advice, CPU power has made it mostly irrelevant. You cannot make a poor password stronger by simple substitution. Most password cracking tools will try hundreds of common substitutions for all dictionary words in just a matter of minutes, greatly reducing the effectiveness of this tip. At one time this was a way to turn short passwords into stronger passwords, but nowadays a short password is no longer strong no matter what you do to it.

Better advice: Add a whole word to the end of your password to make it longer.

First Letters from a Phrase

Tip: Take a phrase, poem, or line from a song and use the first letter from each word. Then, add a few punctuation marks, capitals, and numbers to make it stronger. For example, the phrase “To be or not to be” could be turned into the password 2BorN2b!.

This is perhaps the most commonly recommended tip I have ever seen when it comes to creating strong passwords, and it kind of aggravates me that it is spread around so much. Again this is a tip that worked fine in the past but it is no longer valid. The problem with this tip is that it tends to create shorter passwords and short passwords are never stronger than longer passwords.

Historically, passwords on systems were limited to a maximum of eight characters so this was a good way to turn eight characters into something very random. Now, however, most systems do not significantly limit the password length so instead of taking the first letter of each word, why not type in the words themselves?

We normally type in terms of whole words (we don’t think about each letter) so typing in whole words shouldn’t be that big of a deal for us. Stopping to think of each letter certainly wouldn’t be much faster than just typing in a few words.

Better advice: Take the 3-4 words from a common phrase, add some punctuation (such as hyphens or plusses between words) and use that as your password.

Random Password Generators

Tip: Use a software program to generate a truly random string of characters.

There is a large group of people who think that a random password is always the strongest password. While this is true when it comes to short passwords, short passwords are no longer strong and with long passwords the randomness isn’t as important.

If someone is trying to crack your password and it doesn’t appear on a wordlist, even after applying common substitution rules, and the hash doesn’t appear in a rainbow table, the only alternative is to perform a brute force attack. With a brute force attack they are going to have to try every single combination of possible characters one at a time until they find the right one.

So consider the following two passwords:  ngdh$82K and 3333333333333333333. Which of these two passwords will be cracked last? The answer is the longer one, despite the fact that it has almost no entropy.

See, when it comes to a brute force attack, entropy makes no difference at all, because a brute force attack is a sequential attempt at every possible password, starting with the shortest first. Of course, entropy is not bad and randomness is always a good practice, but it will not slow down a brute force attack.

Better advice: Use a long password rather than a random password.

Using Personal Algorithms

Tip: Take the name of the web site you are using, add a prefix that you use on every site and append a few random letters at the end. For example, to set a password at Google, use Th3google-t5; on eBay it would be Th3ebay-8w.

The problem with this tip is that if someone were to discover your algorithm by seeing a few of your passwords they could easily compromise every account you own. If you  have trouble memorizing passwords, you should use a password manager such as KeePass or Roboform.

However, personal algorithms generally aren’t all bad. For example, if you just added the same word to all of your passwords, they would be significantly stronger, as long at the first part is also sufficiently strong.

Better advice: If you haven’t already figured it out that there is a common theme here, the better advice is to simply make your passwords longer.





Yubikey Token        LastPass password manager