Choosing a Pretty Good Password
Myth: if it is encrypted, it is secure
Truth: if it is not encrypted, it is not secure
A good password is one that's hard to guess, yet easy to remember. So here are the top 10 ways to choose a password, in roughly increasing difficulty. If you don't use any of the first 5, you're well on your way. The stats are very rough estimates (for comparison purposes, an 8-character password is used for most calculations):
- Default (same as none):
- Many programs and services assign a default password . Change this to a new password immediately.
- examples: password, superuser
- 10 Common passwords:
- god, love, lust, money, private, qwerty, secret, sex, snoopy, & (surprise!) password
- Personal info:
- your name, initials, location (zip code), birthday, pets, license plate
- family/friend's names (including maiden), locations, birthdays, pets
- word/number combinations of any of the above
- Ego-related; examples: guru, master, wizard
- Favorite: Music (group names, albums), Fiction/Nonfiction/Comic books/characters, Movie/TV/Cartoon characters & titles
- Dumb Hollywood movie-people think all passwords are of this variety
- your name, initials, location (zip code), birthday, pets, license plate
- Categories:
- Double-words; examples: kittykitty, johnjohn
- Funny/nonsense/jargon words; examples: wassup, bzzzzz, foobar
- Insults; examples: biteme, eatdirt
- Keyboard sequences; examples: asdfg, qweasd, poiqwe
- Obscene words; examples: (use your imagination)
- Passwords based on host name (for people with lots of passwords)
- for example, if the system is named 'cat' an obvious password is catpass
- Reversals; examples: terces, wordpass, nhojnhoj
- Dictionary & Foreign Language words:
- If you can find your word here, it's not a very good password.
- Common Passwords - Various Languages
- Dan Klein - Browsable and categorized lists of English words
- DEC Collection - compressed lists of common English words
- stats: There's 200,000+ words in the English language (most people use around 10,000-40,000). As a guesstimate, there's some 32,000 8-letter words/phrases.
- For some word lists, see The Electronic Alveary
- Mixed-Case Dictionary Words (alternating UPPER-lower case letters)
- examples: paSSworD, PLaceBO
- stats: If a word has 2 letters, there's 4 (22) ways to capitalize it (at, At, aT, AT). If a word has 8 letters, there's 256 ways. Similar combinations (2letters) apply to each word in the dictionary. Guesstimate: There's around 32,000 8-letter words, which gives 8 million (32,000 x 256) mixed-case 8-letter passwords
- Mixed-case Word with Number(s)
- examples: 9fiNgeRS, loVELy68
- stats: Tacking on a number from 0-9 before or after a word gives 20 more variations to the password. Using 00-99 before or after the word, gives 200 variations. Guesstimate: there's some 19,000 6-letter words, and 243 million variations (19,000 x 64 x 200) of 6-letter-word 2-number passwords.
- Mixed-case Word(s)/Letter(s)
- Combining words and/or extra letters
- examples: GUessTHis, BiKeFisH
- stats: We're talking pretty big numbers here. Around 53 trillion (528) 8-letter mixed-case passwords (i.e. aaaaaaaa, aaaaaaaA, aaaaaaAa, ..., ZZZZZZZZ)
- Mixed-case Words/Numbers/Letters
- examples: No50WaY2, puT863MoX
- variant: Hacker/IRC/License-plate jargon
- examples: H4x0rD00dZ, UR2good4Me, FXR1stR8
- stats: OK, my mind's swimming, there's somewhere around 218 trillion (628) 8-letter/number passwords
- It takes an average of 5 seconds to crack this kind of password on a Windows machine; considerably longer on BSD or Linux.
- Random characters
- examples: qs3UIs82, k38#0J$dA
- note: some programs and services only allow letters and numbers, some include dashes ('-'); the best allow any character
- stats: Assuming 94 'type-able' characters, there's 6 gazillion (948 = 6.1 quadrillion [US]) different 8-character passwords. There's not as many 7-character passwords, but there's some 9-character ones still available, if you hurry.
- No password is uncrackable.
- The best you can do is make it difficult and non-trivial to determine your password.
- What's the worst password? The one you've forgotten.
- Some stats on how long breaking passwords takes
- Whatever method you choose, it's occasionally a good idea to change your password often.
- The more important the password, the more often it should be changed.
- Why? If someone currently knows your password, change it and they won't. If someone is attempting a brute-force attack on your password, the hope is that you're changing it to something they've already tried and found to be wrong.
- The longer the password, the harder it is to guess.
- note: many systems limit passwords to 8 characters.
- Some clever people are using social engineering to obtain passwords.
- If somebody calls or emails, requesting your password, it's a dumb idea to give it to them.
- Of course nobody would sticky-note a password to their monitor, or under a keyboard.
Find out how your password rates according to the above standards. This is a measure of the difficulty hackers/crackers will have in 'guessing' your password. Enter your password below, and get an approval rating.
Note: Do NOT just press your Enter key, you must click the RateThisPassword button:
|
Related info:
- Encryptions, passwords and cryptography:
- MIT's guide to password choosing
- Counterpane
- Diceware passphrase method
- Security & Human Factors
- Visual passwords
- The Hack FAQ: Unix Passwords
- Handbook of Applied Cryptography (PDF format)
- The Redbook
- Web Informant
- Applications (software):
- For the mathematically inclined:
- To brush up on your advanced math skills, see Calculus, Complex Variables, & Differential Equations
- GNU Scientific Library - ANSI C routines for numerical computing
- Other categorizations:
- An interesting study of 1100 Brits revealed the following password choices:
- Family (1/2): Family names, nicknames, pets
- Fans (1/3): Fans: sports teams, pop stars, cartoons
- Ego (1/9): fawning descriptions of oneself
- Cryptics (1/11): see 6-10 above
- An interesting study of 1100 Brits revealed the following password choices:
- Credits:
- Special thanks to Adrik L. for pointing out a flaw in the password checker.