What makes a Better Password?

Posted By BrokenClaw on September 2, 2008

A strong password, sometimes described as a robust password, should consist of mixed characters, including uppercase, lowercase, punctuation, numbers and symbols. And longer passwords are better than shorter passwords. Here is an example of a really good password:


Obviously, you can’t use a password like that to log into eBay, so let’s back up and see how we get there.

The simplest password in general use today is the 4-digit Personal Identification Number (PIN) you use with your ATM card. With 4 numerals, there are only 10,000 possibilities from 0000 to 9999. However, the PIN is the second level of authentication. The first level is the card itself. And built into the ATM software is a safeguard against someone trying random numbers. If someone steals your card, after a few bad tries at the PIN, the user gets locked out. In that sense, then, it is not necessary to have millions of possible PINs.

On websites where your online nickname is readily posted, your password is your only authentication device. Anyone can see your online name, so the only way to prove it’s you is with your password. Therefore, it is important that your password is not something that is easily guessed. For example, if you have a personal blog, Facebook, or online photo account where you post photos of your dog, Fluffy, you shouldn’t use FLUFFY as your password… there or anywhere on the Web.

In one of the first publicized episodes of computer hacking [The Cuckoo's Egg by Clifford Stoll, 1989], Stoll discovered one of the hacker’s passwords — Benson — and then deduced another password — Hedges.

In fact, real words, whether names or simple words, should never be used as a password. The reason is that they are easily susceptible to what is called a dictionary attack or brute force attack. Even if the hackers know nothing about you, they can use a computer program which tries every word in a virtual dictionary to find a working password. So what kind of password should you use?

First of all, most websites limit the length of a password, often 8 to 16 characters. They also limit which typed characters that you can use, typically just letters and numbers. If they recognize both upper and lower case letters, then there are 62 possible values for each character: 26(UpperCase) + 26(lowercase) + 10(numbers). For every increase of one character length, the possibilities increase by a factor of 62. A random 8-character password, then, is one in 218 trillion! Good business websites require that your password contains both letters and numbers. This type of password would look something like this: s8mW45rP.

The term random has a mathematical definition, but here we are using it merely to mean a collection of mixed-up letters and numbers.

Obviously there are different levels of password security. Your password to log into your bank or other financial service, including merchant sites that save your payment information, is more important than the password you use to log into a hobby site. In business and industry, the computer system often assigns you a password, to insure that you don’t use something like FLUFFY.

The long password at the top of this article is usually called a passphrase, because it is longer than a word. Long strings of characters like that are used for encryption, for example, to secure a wireless network.

Read more about how to create a better password.


Comments are not allowed.

Switch to our mobile site