How to Create a Strong Password

Through 20 years of effort we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.


Looking at the history of passwords and password management I did not know that the seeming obsession with passwords featuring a strange mixing of capital letters, numbers and !@#$%^&*()+ derives from a 2003 National Institute of Standards and Technology report, “NIST Special Publication 800-63. Appendix A.”

This report advised computer users to protect their accounts by using the now familiar mélange of characters, capital letters and numbers - and to change those passwords regularly. Of course, that resulted in people using just a few passwords and writing them down because they were difficult to remember. In the end, the guidance made systems less safe.

The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!

Abandoning its endorsement of picking a favourite phrase and replacing a couple characters with symbols, like c4tlo^eR. These short, hard-to-read passwords look complicated to humans but very very simple to computers so the 2003 NIST guidance has now been replaced by a new version of NIST Special Publication 800-63A, “Digital Identity Guidelines: Enrollment and Identity Proofing Requirements.”

The current advice from NIST is a nearly 180 turn from the original - no longer are regular password changes called for, and gone is the recommendation to use those special characters. The new report isn’t all that fun to read (save it for a rainy day) but suggests moving from passwords to passphrases, and use of dual factor authentication. So rip up those Post-It notes with your passwords and start fresh!

Instead, you want long, weird strings that neither computers nor people can guess. Humans are bad at coming up with these - we all pick the same “random” words, and we’re bad at remembering actually random strings. Follow this guide to make good passwords, or better yet, let an app make and remember them for you.

Make your passwords very long.

hackerpicYour enemy isn’t some guy in a ski mask trying to guess your password one try at a time. It’s a program that automatically runs through massive databases of common passwords or random combinations of characters.

The best answer to that is a very long string of words. As the webcomic xkcd famously pointed out, a bunch of plain words is pretty good. But as many hackers use “dictionary attacks” to guess regular words, it’s best to add some capital letters, special characters, or numbers. (examples: My best friend is Sheila Brown who lives at #6 or Micro$oft-is-on-the-Rocks) From earlier versions of Windows -> "Although most users do not realise it, both Windows 2000 and Windows XP allow spaces in passwords. In fact, if you can view a character in Windows, you can use that character in a password. Therefore, spaces are perfectly valid password characters"

[Ed.] Be aware however that some sites may not allow spaces in passwords...

Don’t use a common phrase.

But don’t use the same bunch of plain words as everyone else. If your password consisted of the entire script of Hamlet, it would still be unsafe if everyone else had the same password. “When in the course of human events” is a poor password. So is a famous movie line, or a Bible verse, or even an acronym of a Bible verse.

And don’t get clever with thematic or personally meaningful passwords. Sometimes humans do try to crack passwords, so don’t help them out by using your son’s birthday or the phrase printed on your favourite coffee mug.

Test your password.

If you use a password manager, it’ll test your password in real time, on the safety of your computer. The sites How Secure Is My Password?, How Big Is Your Password?, and How Strong Is Your Password? test if your password is long enough. But they won’t warn you about common guessable phrases, like those Bible verses.

Of course, typing your passwords into unfamiliar sites is a bad habit. These sites are safe, as they’re all publicly run by trusted developers who promise that your entered text never leaves your computer. Still, to be safe, just use these sites to get the gist before you make your real password.

Don’t reuse your password.

When your password on some web service gets hacked (and it will), you’d better hope you didn’t use the same password on three other services. Don’t use a weak password for services that “don’t matter,” because some day you might give one of those services your credit card info, or use it to authorise more important services, and you won’t think to beef up your password.

Use a password manager.

Until you do this, no matter how hard you try all the rules above, you will keep picking bad passwords. Here’s how:

  • Your “random” string of words will be something like “monkey dragon baseball princess,” four extremely common password words, and a computer will guess it.
  • You’ll pick something memorable, which will limit your options, and a computer will guess it.
  • You’ll manage to make a password a computer can’t guess, and you’ll forget it, and you’ll have to replace it with a weaker password, and a computer will guess it.
  • You’ll pick something identifiable to anyone who follows you on Twitter or Facebook - like your dog’s name - and a human will guess it.

Instead, get your computer to make and remember your passwords for you. This is the only reliable but convenient way to manage the vast quantity of passwords that modern life requires.

The current most distinctive FREE one is KeePass Password Safe.  It focuses on local storage rather than cloud solutions, and it even lets you use a file to unlock it, so you could turn a physical thumb drive into your “password.”

Cloud-based services like 1Password and LastPass are more vulnerable to remote attacks. But because they heavily encrypt your data and don’t store your master password, you’re still safe even if those services are hacked - as long as your master password is too hard to crack.

Therefore, you just need to remember one password: The one that locks your password manager. Follow all the rules above to create a strong master password, especially if you sync your data. Otherwise, if your password service ever gets hacked, the hackers will also guess your weak master password, and they will swim around in all your accounts like grandkids in your swimming pool at holiday time.

Now if you just have to write that master password down, do it on paper, and keep it somewhere safe like your wallet. Don’t write “MASTER PASSWORD” on it. Rip it up as soon as you’ve memorised it (which will take just a day or two, thanks to the muscle memory of typing it in every time you log into anything).

Don’t forget your master password, or you could be completely and utterly screwed.

Don’t store passwords in your browser.

Those can get hacked, too. Some of Opera’s saved passwords were partially hacked last year. Even Google accounts are vulnerable. A hacker doesn’t have to defeat Google’s security—they just have to trick you, and it’s a lot easier for hackers to pose as Google and request your login than it is for them to pretend to be your chosen password management app. If your Google account gets hacked, you’ll be in enough trouble without also worrying about all your saved passwords. 

Don’t ruin all this by using security questions.

questionsSecurity questions? More like insecurity questions! I’m fun at parties. Point is, the concept of security questions made some sense when they were used in 1906 and answered face-to-face, but they’re ludicrous now that anyone can Google up your mother’s maiden name, where you went to high school, or your favourite ice cream flavour, then call Amazon tech support and pose as you.


Treat security questions basically the same way you treat your passwords: Make up fake answers, and save them in your password manager. Security questions are for talking to humans, not computers, so you don’t have to add weird characters to your answers. Instead, you want to pick wrong and uncommon answers. What high school did you go to? Scoobert Doobert High. What’s your mother’s maiden name? Blempgorf. This is where you can put all that clever energy that you’re not allowed to put into your passwords. (It’s also a decent strategy for picking that one master password that you have to memorise.)

Remember, everything is broken.

Passwords are bad and dumb. But so is everything else. Fingerprints can be stolen, two-factor texts can be rerouted, keys can be copied. As tech reporter Quinn Norton put it, everything is broken, and as writer/programmer Dan Nguyen put it, everything is (even more) broken. Security technology is a race between the good guys and the bad guys, and it’s just impossible to have perfectly secure technology without sacrificing many of that technology’s benefits.

So once you’ve set up your password manager, replaced all your passwords, and enabled two-factor authentication, don’t think your work is done. Some day everything will move onto a new security system, and you’ll have to adapt. That’s the price we pay for putting our lives online.

Netwise 04.05.18