How to pick a good password

Decades ago only spies and systems administrators were the only ones who really had to worry about passwords. But today, you have to enter a password to do the most basic things like turning on your computer or smartphone, downloading a song or buying a book online.

It’s no wonder many people use a single, simple password for everything. But that can be a catastrophic mistake.

You need a good password – one that no one can easily guess:

Password security, Safe Password, Secure Password


Analysis of password databases, often stolen from websites (something that happens with disturbing and increasing frequency), shows that the most common choices include “password”, “123456” and “abc123”.

But using these, or any word that appears in a dictionary, is insecure. Even changing some letters to numbers (“e” to “3”, “i” to “1” and so forth) does little to reduce the vulnerability of such passwords to an automated “dictionary attack”, because these substitutions are so common. The fundamental problem is that secure passwords tend to be hard to remember and memorable passwords tend to be insecure.

Weak passwords open the door to fraud, identity theft and breaches of privacy. An analysis by Verizon, an American telecoms firm, found that the biggest reason for successful security breaches was easily guessable passwords. Some viruses spread by trying common passwords. Attacks need only work enough of the time—say, in 1% of cases—to be worthwhile. And it turns out that a relatively short list of passwords provides access to 1% of accounts on many sites and systems.

Fingerprint scanners and devices that generate time-specific codes offer greater security, but they require expensive hardware.

Passwords, which need only software, are cheaper. In terms of security delivered per dollar spent, they are hard to beat, so they are not going away. But they need to be made more secure.

The solution, say security specialists, is to upgrade the software in people’s heads, by teaching them to choose more secure passwords.

One approach is to use passphrases containing unrelated words, such as “horse carrot paddock rolling hill” or “beach chair umbrella shade sand” linked by a memorable mental image. If you are multi-lingual, you can mix and match your words “horse carrotte paddock montagne”…

Passphrases are, on average, several orders of magnitude harder to crack than passwords. But a new study by researchers at the University of Cambridge finds that people tend to choose phrases made up not of unrelated words but of words that already occur together, such as “dead poets society”. Such phrases are vulnerable to a dictionary attack based on common phrases taken from the internet. And many systems limit the length of passwords, making a long phrase impractical.

An alternative approach, championed by Bruce Schneier, a security guru, is to turn a sentence into a password, taking the first letter of each word and substituting numbers and punctuation marks where possible. “Too much food and wine will make you sick” thus becomes “2mf&wwmUs”. This is no panacea: the danger with this “mnemonic password” approach is that people will use a proverb, or a line from a film or a song, as the starting point, which makes it vulnerable to attack. The ideal sentence is one like Mr Schneier’s that (until the publication of this article, at least) has no matches in Google.

Some websites make an effort to enhance security by indicating how easily guessed a password is likely to be, rejecting weak passwords, ensuring that password databases are kept properly encrypted and limiting the rate at which login attempts can be made. More should do so. But don’t rely on it happening. Instead, beef up your own security by upgrading your brain to use mnemonic passwords.

Psst! Also avoid popular texting acronyms like OMG and ROTFL…

3 Responses to “How to pick a good password”

  • This is becoming an increasingly important issue. This week was another high profile case of an account being hacked leading to all online data being deleted for that person.

    It also raises the issue of backup storage and knowing your online data is secure. With Electronics Design and Embedded Software Development the primary information created for the PCBs and the embedded software running on them is electronic and is the documentation that goes with it. I want to know that our backups are secure.

    Ray Keefe
    Successful Endeavours Pty Ltd
    Casey Business of the Year 2010
    Industrial Electronics Future Award Winner 2011
    Casey Manufacturer of the Year Finalist 2012
    Award Winning Electronics Design and Embedded Software Development

  • As an experienced system administrator, I agree that the use of strong passwords is vital for cyber security…..But teaching users how to select strong passwords is just one part of the overall equation. For sometime, password configuration options have been available to system administrators, to enforce strong passwords. These options include password length, age, history and encryption strength. A users password will not be accepted if the security policy options are not met.

    However, they are not foolproof. Another important cyber security tip which is often overlooked, is how secure the databases where the users passwords and other sensitive information are stored.

    LinkedIn is a data collection and storage company and should have protected its member’s sensitive data….But it didn’t! Early in June 2012, hackers breached their website and stole more than six million of its members’ passwords. The passwords, which had only been lightly encrypted, were posted on a Russian hacker forum for all to see.

    This is a very good example of why not to store everything in the cloud and why database security is just as important as having strong passwords.

  • This exact issue occurred with our Maxpak website. Part of it was designed to sell dog waste bags to the public. But this got hacked, and was very disruptive to our business. We were offline for a while, but quickly rebuilt the site to be better than ever. How did we get hacked? I’m not sure, but I strongly suspect some lax password protection.

Leave a Reply