PSA: How to create a secure password

tlarkin

tlarkin

VIP Member
This is something that most users don't know about and even power users or advanced users or even IT people use ridiculously weak passwords.

A secure password should be at least 8 characters long and include letters, numbers and symbols. Almost all passwords are encrypted while being sent and received to their destination with a few exceptions. I will get into the exceptions later on.

Passwords SHOULD NOT contain any of the following:


  • [*]Real words
    [*]Personal information (DOB, last name, etc)
    [*]Name of pet, friend, wife, husband, etc

Now, let me give you an example. Let's say your password is monday which is not secure, will easily be hacked by what is called a Dictionary Attack. Now a still non secure modification of that would be MoNdaY. A slightly more secure (but still not secure) version would be m0nD@y. Dictionary attacks are basically brute force attacks that try to guess your password or passkey. They can come in any language, including the ever so popular l33t language, which is why m0nD@y is not a secure password.

I can tell you right now, anyone who can write simple looping for programs can write a dictionary attack, it is not hard to do at all.

So how does one create and use a strong password? There are many different methods you can use. You can use a random number string, plus a word, plus a symbol and then mix it up. However, I like to suggest to people to use a phrase and then condense it to a password. For example, the phrase:

I love to eat pizza, for every meal if possible!

Now you can take that and turn it into a password

il2ep4emip!

Still, not quite secure, so now we can add on to that.

I love to eat pizza, for every meal if possible!

Il23p4eMip!

I used a 3 as an E and tossed in a few capitals in there. Now you can add a symbol or a space.

Il23p 4emip!

Spaces count as characters in passwords. Now just add a symbol at the beginning, like a @ or # or % or whatever and your password is pretty secure. Most bot attacks or hackers using such dictionary attacks will fail to crack your password over and over again, and then quit and move along to a greener pasture. Over to where people use their pet's name as a password and can be more easily exploited.

Do be aware that things like WEP, TKIP encryption, and FTP are security risks. If you must use FTP, use SFTP, since FTP sends passwords in plain text.
 
so the best password is abbreviated 1337 speek. woot :P

My password is pretty weak but it is in German so a normal english dictionary attack wouldn't work.

I say this should be stickied since it is good information.
 
Last edited:
gamerman4 said:
so the best password is abbreviated 1337 speek. woot :P

My password is pretty week but it is in German so a normal english dictionary attack wouldn't work.

I say this should be stickied since it is good information.
Click to expand...

OK, but I can add a German dictionary to my attacks. Also, l33t speak words are not secure since there is actually, and sadly at the same time, l33t speak dictionaries.

You should have letters, numbers, and symbols. I was just trying use a phrase as a mnemonic device so you can keep track of your password and keep it secure.
 
Thank you for the excellent post tlarkin. Very good information here.

Well said! :):good:

Edit: For the lazy folks out there - I have used this site many times in the past for certain applications. It also has a good bit of information for those curious about random number generators.
 
Last edited:
You can use RNGs but this is more about helping users create and remember strong passwords. This thread should be sticky I think, so everyone can see it.
 
Yeah, a completely random password is great except when it comes to having to remember and type it in. So it ends up written down somewhere and becomes completely insecure.
 
Cromewell said:
Yeah, a completely random password is great except when it comes to having to remember and type it in. So it ends up written down somewhere and becomes completely insecure.
Click to expand...

RNGs are great when you have it change itself all under the hood. If you have an account that is used for authentication say over SSH and want it to perform a task. You can have it randomly change and sync ever 30 days, but you would never know the password.
 
I concur with the memorization factor. They are a pain. I have enough trouble with my users writing down even simple passwords and not destroying the note...

I would be glad to remove that post/link if you deem it detracting from the intent of your original point.
 
Great read...The Army has a system and the passwords have to be 15 characters long with 4 symbols, 4 numbers and 2 capitol letters. Talk about hard to remember:(
 
ScOuT said:
Great read...The Army has a system and the passwords have to be 15 characters long with 4 symbols, 4 numbers and 2 capitol letters. Talk about hard to remember:(
Click to expand...

My systems are similar. Though, using the methods suggested by Tlarkin, the memorization can become easier. I just turn the gobbledygook into a phrase. ;)

Second on the sticky request too, if that is the way to proceed around here.
 
I think the best way to make a secure password is to go into MS Word, close your eyes and type in a bunch of random numbers, letters, and symbols (if allowed) on the keyboard, and choosing randomly when to capitalize a letter. Then, just memorize it
 
`PaWz said:
I think the best way to make a secure password is to go into MS Word, close your eyes and type in a bunch of random numbers, letters, and symbols (if allowed) on the keyboard, and choosing randomly when to capitalize a letter. Then, just memorize it
Click to expand...

Just how random are you though? The human mind naturally (subconsciously especially) gravitates towards patterns. This link I provided earlier is to one of the better random generators out there.
 
ScOuT said:
Great read...The Army has a system and the passwords have to be 15 characters long with 4 symbols, 4 numbers and 2 capitol letters. Talk about hard to remember:(
Click to expand...

Yeah the NSA publishes their computer security docs for the world to download. I have read through them. Really 8 characters is enough I would say for a user password. Now like a wireless encryption key, yeah over 15 characters would be ideal.

If you are storing super top secret data you should do so in an encrypted disk image with a very strong password.

However, this thread was intended to create strong end user passwords for user accounts and email addresses.
 
Thanks tlarkin. I've added the thread here. As you may have noticed, we keep all our guides and how to's in the announcements, so, for now, this won't be stickied. If we ever bring back the stickies, this thread will likely be stuck in this section.
 
mep916 said:
Thanks tlarkin. I've added the thread here. As you may have noticed, we keep all our guides and how to's in the announcements, so, for now, this won't be stickied. If we ever bring back the stickies, this thread will likely be stuck in this section.
Click to expand...

ah gotcha :good:
 
You have just inspired me to change my password :)

One of my main problems is that I use the same password for absolutely everything. So if it gets intercepted then someone can access everything of mine.

Right now my password is 8 characters. Starts with a capital letter and has a number at the end. I don't think its that bad but I want a new better one. Perhaps with some symbols.

I might even make it website specific. Like have a symbol, the first letter of the website its used for and whatever else i think up haha. That would be better cos then I could have separate passwords for everything but I'd now what each one was.

I'll stop writing whatever comes to mind and go and think of a good password now. Thanks for the information and advice.
 
I just found a good website for testing passwords:

http://www.passwordmeter.com/

Its pretty good but what I don't like is that it takes many points off for repeat characters. For example "a$6j1@7g9K" ranks at 100% as you would imagine for such a complicated password, but you add 6 a's to the end and it ranks as 0% "a$6j1@7g9Kaaaaaa".

So its not entirely accurate because in reality the latter password would be harder to crack because its exactly the same except with added characters.

Anyway my old password ranks 48% so i'm going to try and create a good password that ranks at 100%.

The only annoyance is that some websites don't allow certain characters. Like photobucket won't allow symbols so I have to create a separate password for that which is a shame.

Anyway lets hope I can find a good password. :)

*edit* according to that website, when you request to have your password reset on this forum, the password it gives you ranks only 60% haha. But I guess your supposed to change it straight away anyway.
 
Last edited:
Well I tried that site, my unimportant passwords for forums and such score 48%
and my bank account 28% yet it has numbers and letters, I think I'll change it :)
 
TFT said:
Well I tried that site, my unimportant passwords for forums and such score 48%
and my bank account 28% yet it has numbers and letters, I think I'll change it :)
Click to expand...

does it resemble an actual word? Do not use actual words. Sites like that are nice to test your password strength.
 
You must log in or register to reply here.
Back
Top