I was trying to find a simple, brief guide to picking great passwords, and came up short. Hopefully this simple advice is useful:
- Don’t pick a password; pick a pass phrase.
- Include letters of both cases, numbers, and punctuation characters. For bonus points, use “special” characters like é and î.
- Don’t pick something you’ll have to write down to remember. Never write down a password.
- Try not to use the same password for multiple sites.
Some examples of passwords I might use (you’ll have to think of new ones; each line is a single password):
- “B0w T!es ar€ Coo7.”
- ‘Th3re 4re W0rlds 0ut there where the Sky 1s burn1ng, 4nd th3 S3a’s 4sleep, 4nd th3 R1vers dr3am.’
- “!€xtermin8” “D3le7e!” “Dok-torr”
Letter substitutions like I’ve done above are not secure for single word passwords. Don’t rely on them! And they’re kind of fiddly anyway, so if the punctuation in the phrases above is too much, you could even simplify them:
- “Bow Ties are Cool!!”
- ‘There are worlds out there where the sky is burning, and the sea’s asleep, and the rivers dream.’
- “Exterminate!” ‘Delete!’ “Dok-torr”
And if you really, really must record your passwords somewhere, the only solution I recommend is 1password. But I’d recommend not doing it.
5 responses to “Picking a great password”
How do you manage make multiple passwords w/o having to write them down? With all the site sites that I visit, I need about 200 passwords and my memory is just not that good. So my dilemma is to come up with a system that allows me to use a phrase like you recommend, but make it different for each site, yet not need to write it down…. Any suggestions?
The security author Bruce Schneier actually does recommend writing them down, and keeping them in your wallet: http://www.schneier.com/blog/archives/2005/06/write_down_your.html
Thanks! I read about that method recently, but am a bit nervous to entrust passwords to a piece of paper. I guess I don’t trust that old-fangled technology! J I may have to cave and learn to trust it though.
hey ben thoughts on my comment below?
A couple of comments:
First, if someone wants to record passwords, are you specifically *only* recommending 1password or are you recommending secure password storage tools in general?
Second, I don’t agree with the recommendation against using a password management tool (whether it be 1password or other). The key thing here is people need to improve their security practices, and it’s better to have incremental improvement than none, even if it’s not ideal. It comes down to your statement, “…if you really, really must record your passwords somewhere…” – this is the kind of stuff that makes non-technical users heads explode. We tell them to not use simple passwords, don’t use the same password across sites, don’t write them down, etc. It’s just not practical, reasonable, or possible. Are you recommending that they create long, strong, unique passwords for all their sites and just remember them? By recommending against the password storage tool option we are just forcing the user back to the same unsecure practices we are trying to get them off of. Creating strong unique passwords across sites is a very reasonable thing for most people if they use a tool to back this practice.
Finally, I’m not sure that character substitutions do much to increase the strength of even long passphrases. Each additional character increases the password strength by an order of magnitude and I’d bet that a character substitution has a super-small impact to strength.