Password basics - what makes a good password?

The first thing to understand, is what makes a bad password.  The worst passwords are: password, 111111, fred, master, boss and whatever is the name of your organization/department/unit.  Why are they bad?  Because they are obvious, easy to guess and just plain stupid.

So what are the good passwords?  Things that are not dictionary words (in any language), do not repeat characters, are long enough to make it hard to watch or attack using ‘brute force’ (starting from 0 and working upwards).  But saying that doesn’t really help because it’s too difficult to understand what you should choose.  After all, you still have to be able to remember the password.

The trick is to pick the right mixture of things that make it hard for someone else to guess or find by searching.  This is where the password system may not help. Ideally it should accept up to 40 characters, and they should be anything that you can find on the keyboard.  You may not use all 40, but if you want top quality at least you have the chance.  Now you need to pick something you feel comfortable typing, and uses at least 8 characters which may be anything on the keyboard. Well that’s hard, but you can pick a couple of words you do know, preferably not related to each other, and add a few special characters to them so you don’t find them in a dictionary.  For instance, “Table!house*”, “Knight(soil)” or “Dem0n**manager”.  Other examples that could work include, “1066andallthat”, “Hangthe****donkey” or “Now is the time forall men”. This last one is a quotation, but it’s still hard to guess or attack, especially if you don’t know where the spaces are!

Passwords need to be changed from time to time.  Picking a frequency is not easy.  On the one hand you need to change it often if it protects something vital.  On the other hand you have to be able to remember it. Having a long password that is not obvious generally means you don’t need to change it so often.  So if you can cope with typing, pick a long password and it will last longer.

Unfortunately many systems impose a very short password length.  This is regrettable because it makes it much harder for you.  A 6 character password of upper case is a few seconds work for an attacker.  Even with all the characters available it isn’t hours.  So take care that the password system you are being asked to use is as much up to the job as you are.