How to create strong, secure passwords that you can easily remember [Tip]

keyboardIt seems like with the increasing level of access to technology on a global scale, there are increasing numbers of scam artists, hackers, pricks, punks, assholes, scumbags, etc. that try to find ways to make everyone’s digital life a bigger pain than it needs to be. There are many ways to fight scumbagism, but most of these ways are so complex and unrealistic that most of us just simply ignore them. So, we have written this guide on how to create and use safe, secure passwords you can remember. Living your digital life by following the rules we have outlined here will not guarantee you are hacker proof, but it does greatly mitigate the likelihood of your accounts being hacked. Read on to learn more.

BEFORE WE BEGIN

Before we go on, let me point out that this article is broken up into three parts:

  • Part 1 is how to have safe and secure passwords — traditional-type passwords that you have probably used until now, such as cat123, dog456, etc.
  • Part 2 tells you about a new type of password — passphrases — and informs you as to why you should use passphrases instead of regular passwords.
  • Part 3 provides general tips you should use regardless of if you employee regular passwords or use passphrases

That said, let’s begin.

PART 1 — HOW TO HAVE SAFE AND SECURE PASSWORDS

Make your passwords long

Remember back in grade school math class when you studied permutations? Remember how adding an extra digit to a number (i.e. going from four digits to five digits) greatly increased the amount of possible permutations of that number? Yeah, well, they didn’t just teach that in school to torture us; permutations have a real-life application.

You see most websites store passwords in an encrypted format; anyone who gets hold of the password database of a website can’t simply read everyone’s passwords. When this happens (when a scumbag can’t break password encryption) they apply a technique called brute force attack to try to hack your passwords. (Brute force attack does not require a scumbag to have the password database; it can be used at any time with or without the database. However, typically most websites have anti-brute force security measures in place that temporarily block access to an account if someone fails to login too many times in a short time period.) Brute force attack is the process of systematically trying password combinations until the correct password is found. There are two viable defenses that help protect against a brute force attack; one of them is password length (the other is password complexity – see next tip). The longer password you have, the harder it is for a hacker to get your password using brute force simply because the hacker has to try a greater number of possible passwords.

That said, exactly how long should your passwords be? Current industry standards say at least eight characters. However, personally, I recommend twelve characters or higher. Why? One word: Graphics. In a study conducted by Georgia Tech earlier this year, researchers were able to crack eight character passwords using graphic cards in two hours. Cracking twelve character passwords, on the other hand, was estimated to take over 17,000 years. Two hours vs seventeen thousand years, hmmm….

Now, does that mean all hackers will have the capability to crack eight character passwords in two hours? No. It takes a certain level of sophistication and technology to be able to do what the Georgia Tech researchers did and the average wannabe hacker isn’t at that level of sophistication. However it just goes to show you how important password length is.

Make your passwords complex

Building on the same idea of making passwords long, passwords should be complex. By “complex” I mean passwords should not just be lowercase letters and numbers. You should incorporate special characters (i.e. !, ?, @, #, $, %, ., *, etc.) and uppercase letters (when supported – not all websites support case-sensitive passwords) in your passwords. Think about it. If you use only lowercase letters and numbers, there are thirty-six possible characters your passwords can be comprised of (assuming you are using the English alphabet). In other words, there are 2,821,109,907,456 possible permutations if your password is eight characters long. Once you start mixing in uppercase letters, the number jumps up to 218,340,105,584,896. The possible passwords number skyrockets even higher once you add in special characters.

Using special characters and uppercase letters is not as complicated as it sounds. All you need to do is go through your password and replace letters with similar special characters and make some lowercase letters uppercase. For example, if your password is bullseyeathome you can make that password a lot stronger by using bu1L$eye@th*me. Not too hard to remember, is it?

Furthermore, having complex passwords is not only making sure you use a mix of lowercase letters, uppercase letters, numbers, and special characters. Complexity of a password also includes avoiding real words and popular phrases. Cracking a password comprised of real words or popular phrases is very easy using a dictionary attack. So instead of using real words or popular phrases, make up your own words or phrases. That does not mean your password can contain no real words or popular phrases. Rather, it means your password should not be all real words or popular phrases – throw in one or two figments of your imagination.

PART 2 — PASSPHRASES ARE BETTER THAN TRADITIONAL PASSWORDS

What is a passphrase?

A ‘passphrase’ is a password that uses a combination of words or phrases instead of random letters, numbers, and special characters. For example, ‘dog123zty’ is a traditional password but ‘dogpenchair’ is a passphrase. Passphrases can be as long or as short as you want and can contain any words or phrases that you desire.

Why are passphrases better?

When you need to create a password, you should always consider using a passphrase instead of a traditional password. Why? Two reasons.

Firstly, passphrases as easy to remember. For example, ‘oilplutowhacktoss’ is longer but is a lot easier to remember than ‘kplVE7IZ’.

Secondly, passphrases are more secure than traditional passwords. Thanks to the power of mathematics, the length of a password always makes a password stronger than its complexity. Keeping with the same example, ‘oilplutowhacktoss’ is a more secure password than ‘kplVE7IZ’ due to its longer length, even though it uses only lowercase letters whereas the second password uses uppercase letters, lowercase letters, and numbers. It is the power of permutations, people.

How to come up with passphrases?

When coming up with a passphrase, it is generally recommended to use four words of five letters each so you have a total password length of twenty characters. However, if you are having trouble thinking of four words of five letters each, you can mix and match different length words. For example, you can use one three letter word, one four letter word, one five letter word, and one six letter word; or three six letter words; or three five letter words and one three letter word; etc. How many words of whatever length you decide to use, you want to make sure your total password length is not lower than sixteen characters. Sixteen characters is the minimum; the more characters you have above sixteen, the better off you are.

Passphrases can contain any words or phrases you want but the key to passphrases is to select four unrelated words.

If you use a passphrase that contains similar words, a modified dictionary-based attack (a type of cracking technique that tests a password to see if it contains words from the dictionary) could potentially crack your password easily. For example ‘dogcatfishturtle’ is easy to remember and is long but is easy to crack because dog, cat, fish, and turtle are related — they are all common house pets. On the other hand, ‘dogwalletdiskairplane’ is a relatively secure password not only because of its length but also because the four words used have no major relationship between them.

Improve security further

While a passphrase in and of itself is one of the better types of passwords, you can have an even more secure passphrase by simply adding in one uppercase letter and one number. It is possible to modify a passphrase to have one uppercase letter and one number without making it difficult to remember, and adding in one uppercase letter and one number increases the strength of the passphrase by a huge magnitude.

For example, ‘oilplutowhacktoss’ can be turned into ‘oil4plutoWhacktoss'; both are easy to remember but the second number is more secure because now instead of 1.18 x 10^24, password strength is 1.86 x 10^32 (assuming uppercase letters are counted as separate from lowercase letters — some systems don’t differentiate between uppercase and lowercase). In other words, while it would take 3.75 centuries to crack ‘oilplutowhacktoss’ at one hundred trillion guesses per second (which, by the way, requires a massive amount of computing power and likely isn’t going to be used for the average Joe’s account), it takes 5.92 hundred million centuries to crack ‘oil4plutoWhacktoss’ at one hundred trillion guesses per second. See the difference one uppercase letter and one number make, without making the password very much more difficult to remember?

Aside from enhanced security, getting into the habit of modifying a passphrase to include one number and one uppercase letter is very good practice because many websites require that passwords include a minimum of one number and one uppercase letter.

Improve security even further

Once you have a passphrase with sixteen characters or more that includes one uppercase letter and one number, you have a passphrase that will withstand brute-force and dictionary attacks, which constitute 99% of all attacks. However, there are some extremely sophisticated attacks out there that try to guess your password based on trends in the English language. For example, as dotTechie AFPhy6 points out, in English the letter ‘L’ is more likely than the letter ‘D’ to follow the letter ‘P’ in a word, such as in “pluto”. So a more sophisticated attack would guess ‘L’ after it discovered ‘P’ before it guesses ‘D’, which cuts down on the time it takes to crack a password.

So what to do to counteract this more advanced type of attack? There are two things you can do:

  • Make up words vis-a-vis bad spelling and/or grammar. Keeping with the same example, instead of ‘oil4plutoWhacktoss’ the passphrase can be ‘yil4plutyWhacktyss’ where I simply replaced all the ‘O’ in the passphrase with ‘Y’. ‘yil4plutyWhacktyss’ is, admittedly, harder to remember than ‘oil4plutoWhacktoss’ but it is more secure and also easier to remember than a similar length randomly generated password. [Thanks dotTechie AFPhy6 for pointing out this tip!]
  • Use non-English words. While most systems won’t let you use non-Late alphabets, you can use Romanized words from other languages in your password. For example, instead of ‘oil4plutoWhacktoss’ I can make the passphrase ‘oil4plutoWhackpaika’ with ‘toss’ being replaced with the Urdu word ‘paika’ which means throw. You can even combine this method with the previous one and do ‘yil4plutyWhackpaika’. [Thanks dotTechie thegreenpixel for pointing out this tip!]

Making up words and/or using non-English words does make a passphrase noticeably more complicated and harder to remember, which defeats one of the major purposes of using a passphrase — ease-to-remember. However, it also makes passphrases stronger while still being easier to remember than similar length randomly generated passwords.

I’d recommend utilizing the trick of making up words and/or using non-English words if you feel you need the enhanced security. Truth is most people likely don’t need the enhanced security. Using a passphrase of sixteen characters or more with one uppercase letter and one number is highly secure, and the type of sophisticated attacks that making up words and/or using non-English words counteracts are not as common as you think — the people that have the resources for them typically have agendas that target a specific type of people, not the average Joe. However, if you feel you need it, then do it.

What you don’t want happening is you using a passphrase with sixteen characters or more that has one uppercase letter, has one number, uses fake words, and uses words from another language and you stop remembering it and/or using it because it has become too complicated. Passwords are all about trade-offs and if you feel you can easily remember a passphrase with sixteen characters or more that has one uppercase letter, has one number, uses fake words, and uses words from another language, then use it; if you feel you cannot, then stick to a passphrase with sixteen characters or more that has one uppercase letter and one number — don’t bother with fake words and words from another language.

PART 3 — GOOD ADVICE FOR EVERYONE

Have tiered passwords or passphrases

Experts tell us we should have a different password/passphrase for each and every login. While that is sound advice, even with a password manager it is insanity; who in their right mind could possibility have a different password/passphrase for every single login? If you can successfully manage different passwords/passphrases for every login you have, kudos to you. However, for the rest of us normal people a doable alternative to having different passwords/passphrases for each login is having tiered passwords/passphrases.

Tiered passwords/passphrases is a simple idea of having a different password/passphrases for each “group” of logins you have. For example, let’s say you have a login for your bank account, your main e-mail, a spam e-mail, and three websites you visit often. Applying the concept of tiered passwords/passphrases, you may one password/passphrase for  the bank account, one password/passphrase for your main e-mail, and one password/passphrase for the spam e-mail and website logins. Of course the split doesn’t have to be exactly that; it is up to you to decide the importance of each login and how you want to categorize it. The overall goal is not to make sure X type of login gets X password/passphrase; rather the goal is to make sure your high importance passwords/passphrases stay different from low importance passwords/passphrases so if a low importance password/passphrase ever gets compromised, you don’t have to worry about the high importance ones.

From a pure security standpoint, having tiered passwords/passphrase is not as secure as having a different password/passphrase for each login. However, it is is a doable derivative that serves as a good compromise between the two extremes of using the same password/passphrase for all logins and using a different password/passphrase for all logins.

Your username/login name is a security tool too!

When you login somewhere, are you ever allowed to login using just your password? Nope – you always need an accompanying username or login name (sometimes it is your e-mail address). So, then, why would you want to share that username/login name with someone else? Sure a username/login name may not be as big of a secret as your password/passphrase, but to get into an account both a username/login and a password are required. Without one, the other is useless.

Think about it this way. Your username is the door-handle lock on your front door while the password is the deadbolt. Anyone trying to get inside your home has to get past both the door-handle lock and the deadbolt; the deadbolt may be the one that is harder to break, but the door-handle lock nonetheless still plays a role in securing your home. So keep your usernames/login names secret!

Of course this isn’t always possible; sometimes your username/login name is publicly displayed… such as on a website forum. However, when it is possible, you should be very frugal about giving out your username/login name because, as I already mentioned a couple of times, without knowing your username/login name, a hacker cannot get into your account… even if they know your password/passphrase.

Avoid similarities between username and password/passphrase

While this may seem like a no-brainer, it is surprising how many people use their username (or a variant of their username) as their passwords/passphrase. You should never, ever use your username (or a variant of your username) as your password/passphrase. Usernames and passwords/passphrases should be kept as different as possible — preferably 100% different. This way if a hacker finds out your username or password/passphrase, they can’t use it to help them determine the other missing piece.

Conclusion

Life would be grand if we didn’t have punks trying to access our accounts – either for fun or malicious purposes or whatever; but that just isn’t how it is. So, please, do yourself a favor and use strong passwords or passphrases in order to keep your accounts secure.

Have any advice on how to have strong passwords and secure accounts? Share with us in the comments below!

Originally posted December 13, 2010. Updated October 30, 2013.

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

76 comments

  1. David

    Thank you for such an insightful article. I learned a lot.

    Although I didn’t have time to read the entire article word for word, I did notice a grammar error in the first paragraph that should be corrected, as seen here: “Living your digital life by the following the following the rules…”

    I hope this helps.

  2. AFPhy6

    [@JonE]
    It is ridiculous how many bank sites limit people to 12-character passwords! I consider that the absolute minimum length, and that for a random ASCII password, not a passphrase created out of simple words. (I evaluate a 12-character passphrase as being about the same complexity as a 10-character random… and that its safety vs. attack is on the order of a week)

  3. AFPhy6

    [@Waldo]

    Excellent article with updated information about crackers’ current state-of-the-art. Thanks for linking it here. It seems that Gibson’s Haystack “Fast Offline Attack Scenario” https://www.grc.com/haystack.htm ought be considered as an “average single-collaborator attack” now. There are several articles linked through it that I am using now to update my knowledge.

  4. JonE

    First: Thank you Ashraf, for taking the time to write and update an article to pass on information we all need to hear (read). I found it interesting and informative.

    And this article, and articles like it, demonstrate and lay bare the diversity of views, ideas, and opinions of authors and readers alike. This is a good thing because you know you’re not reading the same old thing or the party line; one of the things I like best about dotTech. Even if I (you) don’t agree with everything written (said) I’m (you/we are) bound to learn something.

    I use a variety of different methods for passwords, including password managers, and four different password managers, for different things, by four different developers, and yes I have a different password for every single login. I don’t think it matters what system you use as long as it works for you and keeps you secure.

    The one thing that bugs me most about passwords are those sites that require a password to access their site – service then limit you to 8, 10 ,12, or 16 characters. For instance my ISP and Bank both limit me to a 12 character password; give me a break – C’Mon Man!

  5. AFPhy6

    [@Ashraf]

    On Mar.18,2013, and thereabouts, we had a great discussion involving several of us and at least a dozen comments on this thread. All of those comments are missing now. Can you please recover those? Alternatively, and preferably, can you recover and repost this article the form it appeared at that time (or simply link a comment below to its URL). There was a lot of enlightening back-and-forth on those days that is sadly now missing from this article.

  6. CJ Cotter

    My passwords include the last names of coworkers that have unusual and uncommon last names that are hard to spell. This includes the name of company owner, who is of Polish heritage, having a last name with 11 letters in it.

  7. Virtualguy

    I don’t want to manage a password manager. I use a simple but effective formula to provide a unique passphrase to each account or website login. I use keystroke patterns, all based on one simple, easy to remember formula. So, all I have to do is look at the domain name and apply my keystroke formula, which begins with a certain character in the domain name. All passphrases are at least 10 characters, alpha-numerical, upper/lowercase, and can include special characters if I choose. I don’t have to use any software to remember my passwords, or even write them down. I’ve been doing this for years, and it works great for me. I wrote about this previously. You can see the posting here:

    http://dottech.org/121257/google-reveals-top-10-most-weak-and-common-passwords/comment-page-1/#comment-1010506

    If you read it, and think about what I’m saying and try it for yourself, you will probably understand what I’m doing. If you figure it out, you won’t need a password manager, ever. You won’t need anything. You just look at the domain name and apply your own formula to every login. Brilliantly simple.

  8. melen001

    [@Bub]

    That is the best way to secure your password… no one can access it, not even you. That’s the ” make it and forget it” technique… many have used it and it “does” work just fine…. ha ha ha…..

  9. AFPhy6

    [@Bruce Fraser]

    I agree, due to the virtually unlimited size of the dictionary.

    Please consider the method I outline in #10 – passphrases composed by short, “strong”, “words” you generate yourself, separated by website-specific characters. If I lose my password keeper (which I did a few months ago on a system reinstall), I still am able to recover with a few tries due to my limited dictionary.

  10. Bruce Fraser

    The premise of this whole article was “easy to remember” passwords. (Look back at the title.) I think this method fails.

    So you use “oil4plutoWhacktoss” for a website. Good luck remembering even that. Now multiply that by however many websites for which you need passwords. I have passwords stored for over a hundred websites. (That doesn’t mean I use them regularly; some I haven’t been back to since my first encounter, but registration was required. Still, I probably use twenty or more regularly.)

    Try to remember all those? Forget it. Since I’m going to use a password utility, then it doesn’t matter whether the characters are words or gibberish; the main thing is to make the passwords plenty long.

  11. AFPhy6

    [@Ashraf]

    Congratulations, Ashraf! A much stronger and better article now! I won’t withdraw my comments, especially my post#10 technique since it results in a password that is essentially breakable only by me, but you’ve really tightened this up. And Gibson would probably really make sure we added padding… lol.

  12. AFPhy6

    [@sl0j0s]

    I had one sentence referring to Gibson’s very good idea of “padding”. I’m agnostic about that.

    [@thegreenwizard]

    Very cute! I like that concept. In addition, if you are allowed to use the extended character set (higher ASCII characters with values greater than 128 with umlauts and other such accent marks) by the password-asking site, you greatly expand the search space, probably to a base in excess of 200, though you still can’t get to the “escape” characters that are smaller than 0x20. … One problem for me: English is my second language (and I have no third)… Math is my first … LOL I would really screw up if I tried other language words!

    [@Ashraf]: I truly respect you, friend. Your article was very good for discussion, and I am excited that you updated it. I absolutely agree with your paragraph in post#20. I guess I am going to have to go pore over the main article again, though!

  13. Ashraf
    Author/Mr. Boss

    [@AFPhy6] When it comes to security, there are two aspects: the technical element and the human element. The biggest problem with passwords is the human element. If a password technique is too complicated, many people won’t use it. You are right, there are hacking techniques out there that help in cracking software and using fake words/bad grammar is a way to counteract those techniques. However, using fake words/bad increases the complexity of a passphrase which will discourage many people from using passphrases, and a passphrase is better than no passphrase.

    However, as I said, you are right. I have updated the post to include the tips you have provided but have included a caution, too.

    Thanks!

    [@thegreenwizard] Thanks! Updated post with your tip, too.

  14. thegreenwizard

    It’s so easy…mix different languages and you put out of business the dictionnaries and for number.use..the Roman number. for exemple for your SSN.

    Salutguapaw1egoestyou?

    French, Spanish, German+1, Swiss-German, English and with the Swiss german, you don’t have dictionary.

    “Hello pretty (1) how are you?”

  15. sl0j0s

    Hello, all.
    Great article, and the comments [AFPhy6, especially] are fantastic, too.
    The only thing; nobody mentioned “padding”, or the addition of punctuation or numbers to a ‘passphrase’, to expand its complexity and length.
    I think I saw at Steve Gibson’s site, which is referenced above by “AFPhy6″, @ #8.

    Have a GREAT day, neighbors!

  16. AFPhy6

    This is a simple cross-link to another post today and many comments I made on it which are pertinent to this whole subject:

    http://dottech.org/100945/windows-review-pwgen/

    [@jayesstee]
    I’m going to also add a MAJOR YES about “being able to easily crack my own passwords”. That is why I devised the system to begin with.

    Ah – I thought I had explained somewhere about Unicode,so while I’m at it I’ll put this all in one place:

    Though they are often considered pretty much only 2-characters linked together, Unicode characters are more than that. Such character sequences (revert to hex for a while) as hex 0x2301 are virtually impossible to use in an ASCII password since 0x01 and many other unprintable characters are “escape” characters with special meanings. However there are many Unicode characters that have form 0x2301, where one or more of the pair are unprintable.

    A properly chosen Unicode character set, where useable, expands the “base” from which the exponent on the password evaluation page linked above from 95 (or 95×95=9,025 if you want to look at a Unicode as a double character), up to at least 63,000 due in large part to the inability to use the full hex space in ASCII.

    Gibson does not (yet) include Unicode possibilities in his evaluation, probably since Unicode support is still spotty, so I have been doing my own calculations using the approximation that one Unicode character has similar complexity to three characters created from the character set of “UPPERCase+Numbers”

    Again, since some people think this is a decent primer: it is easy to think that if someone is using a random attack mode you don’t have to worry about them using a dictionary attack. That is false. What goes on in the real world is that the encoded password files get released, and dozens or thousands of hackers go to work on that file, each using their own strategy. There may be some duplication, but there is a lot of variation in each person’s or teams’ approach, and many of them have setups similar to Redman’s and even more capable.

  17. jayesstee

    [@AFPhy6]
    Oh dear, I have already copied your posts numbered 6, 7, 8, 11 and 12 to a word document.  It is the first ‘in-depth’ treatise on the subject that I could read (and understand) past the first few lines . . . .
    If you would like me to destroy it or you would like a copy please send me a PM.  Otherwise thanks again.

  18. AFPhy6

    [@jayesstee]

    LOL- No,I have not tried to patent it, but I hereby Copyright everything I wrote in all my replies to this article and the other password article now up on DotTech… the concept, and assume that Ashraf will claim rights also! … if only so some fool company like Apple will NOT be able to come by and patent it without running into some real difficulties! …

    Time to save the right page now, just in case some wise guy tries it…

  19. AFPhy6

    I feel like I am beating a dead horse to some extent here, but since it is a subject that I have strongly considered, at length, in detail, and from a position of understanding the basics of the field, I am going to add yet another thing after reading and thinking about your revised article:

    Your “complex” oil4plutoWhacktoss password is much much better than your original example. I’m glad you augmented the article in that way. Note, however, with the calculator I linked above that o!l4plutoWhacktoss would register as 20,000 or so times more difficult in a brute force attack.

    However, that passphrase ought not be considered as 18 separate characters, but as 5 words coming from a rather simple dictionary: the 37,000 words in a simple pocket dictionary, including the single characters. Such dictionary attacks are very common tools used by hackers, probably even more common than brute force random attacks. The passphrase gains by having a higher “base” of 37000 (or so) compared to the complex common ASCII base of 95, but loses out due to the low exponent. So, the 5-word attack must deal with about 7×10^22 variations of that small dictionary, not the 10^32. The dictionary may have to go to “all words capitalized” mode for your specific example, which would make it 32 times longer search … 10^24. That would make it about the same difficulty as a 12-character totally random string, and I consider that sufficient strength now, and for at least 5 years. This is far better than your initial 4-word, lower case example which was equivalent to about 9-10 random ASCII characters, (that comes in at around 2×10^18), but still, it is not even close to 10^32.

    And by the way, the “o!l” instead of “oil” thing I used herein really doesn’t “count” as using the 95-character set of ASCII, but instead as using a slightly “expanded” dictionary of maybe 100,000 words and having “common substitutions” for specific characters … a dictionary containing “words” such as l0ve, and 4eign. Those are so trivial to check that in hackers lists of cracked passwords they don’t even list such things separately but include them as being the same words as “love” and “foreign”. You don’t get the full benefit of the 95-character ASCII set you gain from a totally random password, or the “invented words” that I suggest earlier in this thread.

    Ah… rereading what you wrote yet again and what I did herein, I am going to make yet one more comment right here as a “PS” instead of trying to fit it in the right place above: Your “5 letter word” suggestion runs into the teeth of another simple attack mode, dictionary attack starting with all 1-letter words (26), then all 1&2 letter words (384), then all 1,2&3 letter words (2532), on to 123&4-letters (6515), (26+358+2148+3983+5794), finally 1,2,3,4&5 letter words(12,309). I got those numbers using a wild card search in TheSage dictionary of 210,000 words, and I can tell you that there are quite a few of those that are not in a typical dictionary (zb, kd, “a few”, a-non, a’man, for example) I did not bother to purge the list, but an actual list of dictionary words from a Merriam-Webster would be many fewer than 12,000.

    This means that even including capitalized and “common substitution” words, the dictionary is probably more on the order of my “moderate-sized” figure of 37,000 words, and the 4 and 5 “word” passphrases would be more on the order of 2×10^18 and 7×10^22, corresponding to approximately 9-10 (barely acceptable 9 years) and 11-12 random characters respectively (around 300,000yrs for Redman). Presumably, those would be much easier to remember than such random passwords, at least.

    I still like my method better than passphrases, though.

  20. jayesstee

    [@AFPhy6]
    Thank you.   A really valuable ‘primer’.
    I like the fact that you can crack your own password – simply brilliant!
    I have a simpler system, but having read your post(s) I am going to redo all of mine.   Hope you haven’t done an ‘Apple’ and patented it!

  21. AFPhy6

    Again, an addendum:

    First, Even my short, 3″word” passwords without the added “Spacer” take over ten times longer to crack than the 16 character passphrases. Each of those additional spacers multiply the time by 95 (due to my using at least one of each class) instead of 26 or 52.

    Second, my “words” may appear difficult to type or recall, but after doing them 10 times or so, they are remarkably fast to type.

    Third, someone were going to adopt _mostly_ a passphrase such as you suggest above, I strongly recommend that they invent one simple-to-type “word” such as &*78 to add somewhere in every one of their passphrases. That will force the attacker to go to a full 95-character search, and even if the phrase remains 16 characters, it will be over 10,000 times more difficult to discover.

  22. AFPhy6

    [@Ashraf]

    Oh, one more addendum to the problem with passphrases, although, as you point out, the longer, the better…

    One of the attack modes that is NOT mentioned in that security article is that modern cracking techniques for “exhaustive mode” searches are not simply “random”, orderly, exchanges of characters. The crackers use an algorithm that looks at “most common groups” of letters, so, for example, if an analysis of a cracked password dictionary shows that the most common character to follow “t” is “h”, that is the first character checked for in the search, instead of “a” or “1”. That strategy is followed recursively throughout the search space.

    That results in “regular words” like “pluto” in your example being much more easy for the cracker to discover than “pzuto” since “l” is far more likely to follow “p” than is “z”. That strategy seriously reduces the effectiveness of normal word dictionary generated passphrases.

    For this reason, I suggest that if a reader is going to use a “passphrase” strategy, they use a few “words” that they invent, and then shuffle those “words” when they wish to change passwords.

    For example, suppose my dictionary of easy to type and recall “words” (given keyboard layout and my own mind) are “Qaz”, “2389”, “mk.KM”, “*9*”, and “1M!b”. I don’t tell anyone what those are. I DO write them down in a couple places just in case, even in plain sight. Using those 5 “words” of mine, in the manner of “passphrase” philosophy, I can generate many dozens (but not trillions) of passwords like:

    Qaz2389mk.KM =3″words”,12chars
    mk.KM1M!bQaz =3″words”,12chars
    1M!bQaz2389mk.KM =4″words”,16chars
    *9*1M!b2389*9* =4″words”,14chars

    Even if these were cracked by brute force, it is unlikely my “words” would take up residence in a cracker’s dictionary… they are pretty random looking.

    For a site like DotTech, I will use 3″words” separated by “D” and “T”, so QazD2389Tmk.KM . But, if your password base is compromised a cracker could say “gee – it is likely that D and T separate ‘words'”. He might add them to his dictionary and make me easier to crack in the future. Instead I may use the keyboard keys following the DT, eg., FY, as my separators. (I suggest wrapping around “P” to “Q” instead of using “[“, for example, but use your OWN ideas!) This allows me to have simple passwords for ME, different for each web site, and a lot of confidence, even if one of my passwords is obtained the others won’t.

    When I have forgotten a site’s password, it is simple for ME to bust it since MY dictionary is only a few words, and it is MY pattern! Hackers don’t have it so easy, since they are really in brute force mode.

    I will be using 3-word passwords for sites like DotTech… 4-word passwords for banking and such sites.

    My “words” will be 3-5 characters long. There will be at least two of each in a specific class, so for example, I’ll have three like “MKLM” or “QRFV” or “2389” so I can use my same pattern on those horrible sites that only allow capital letters and numbers. Most of my dozen words will have at least three of the classes: upper-case, lower-case, numbers, specials, non-ASCII unicodes. I will also have one of each that is single-class, like “%$#”.

    By the way, the change I’m making is not going to be that radical. I have been using this for nearly 20 years… I will simply add one letter to each of my “words”, and go from 2 or 3 “words” to 3 or 4 “words”. I believe that I’ll have no need to change my approach 20 years from now unless it is to again add a “word”. In all the articles I’ve studied about this concern, I’ve never seen a better approach to passwords, though Gibson’s “padding” would be a good addition that I will probably not adopt.

    By the way, if you wish, please feel free to use this material and modify it, if you think it useful enough, as an article on the site instead of a mere reply.

  23. Ashraf
    Author/Mr. Boss

    [@AFPhy6] [@AFPhy6] [@AFPhy6] I made a mistake originally recommending 4-word passphrase of 4 letter words. I should have recommended 5 letter words. I’ve updated the article to reflect this.

    I’ve also updated the article to include enhanced security tips about adding an uppercase letter and number to passphrase, without making the passphrase too hard to remember.

    Thanks for the tips and the website!

  24. AFPhy6

    Finally, here is a password generated easily at Gibson’s site: https://www.grc.com/passwords.htm

    -936>&A&!i9@[T~E%K06Y”gF?~iWji^)PYR4g+6L:q?]sv>]sq-$}4Z06^H>~~u

    It would take that same cracker about 2 thousand million trillion trillion trillion trillion trillion trillion trillion trillion centuries to crack it… but you better not lose your password keeper or you are so out of luck!

  25. AFPhy6

    To expand on what I just wrote:

    A 4-word passphrase would then be approximately similar complexity to a random 8-digit password using upper, lower, numbers and special characters. The cracker described in the article above would have that password cracked in about 12 days.

    Ouch.

  26. AFPhy6

    [@Ashraf]

    From: http://arstechnica.com/security/2012/08/passwords-under-assault/

    “At any given time, Redman is likely to be running thousands of cryptographically hashed passwords though a PC containing four of Nvidia’s GeForce GTX 480 graphics cards. It’s an “older machine,” he conceded, but it still gives him the ability to cycle through as many as 6.2 billion combinations every second. He typically uses a dictionary file containing about 26 million words, combined with programming rules that greatly extend its effectiveness by adding numbers, punctuation, and other characters to each list entry. Depending on the job, he sometimes uses a 60 million-strong word list and something known as “rainbow tables,” which are described later in this article.”

    Check the viability of your password here: https://www.grc.com/haystack.htm

    For a “passphrase” attack, I suggest that each word be considered as coming from a 10,000 word dictionary, so 4 words would be complexity 10^16 in length. Of course, if you put characters or numbers other than lower case in your words, you enlarge the dictionary and complexity, but that is defeating the reason for using a passphrase to begin with.

  27. Ashraf
    Author/Mr. Boss

    [@r1xtremerider] Yeah, I hate it when that happens. Websites should be encouraging users to use passphrases, not forcing them to use a letter or uppercase letter.

    In such a situation, I recommend thinking of a passphrase then simply adding a letter, uppercaseletter, etc. to conform to the requirements of a specific website. For example, a website says you must use one uppercase letter and one number. So instead of ‘oilplutowhacktoss’ use ‘oil51plutowhackToss’ or something to that effect.

  28. r1xtremerider

    There is one problem with using passphrase as a password. Almost all secure websites REQUIRE the use of a number, letters alone are not enough. What do you do in that situation which is often?

  29. Ashraf
    Author/Mr. Boss

    [@Shawn] ? You lost me. Are you saying using ASCII letters make passwords hard to crack? With the power of GPU acceleration combined with traditional CPU processing, you’d be surprised how quickly passwords can be cracked regardless of what type of characters they use. This is why length > complexity.

  30. Maximus

    1. Portable Extreme Password Generator Pro 1.5 (free program).
    2. Store passwords on word-processor page, > on thumbdrive (+2nd>backup)
    3. Enter passwords by ‘drag and drop’, not keystrokes. (Why? Keyloggers).
    4. Unplug thumbdrive from computer when not using (passwords).
    5. Passwords of 20 characters minimum length. (Longer = better).
    6. Change all passwords every couple months (even WiFi) see #1 above.
    7. ‘Do Not’ open an unknown senders email, no matter what it says or claims.
    8. Store security items and photos on removable disc or thumbdrives(s).
    9. Home WiFi min.: WPA2. ‘All’ public HotSpots are (easy to) “Open to public”.

  31. Bull

    …bullseyeathome…

    What the?! O.O

    Ashraf you total hacker! You hacked and publicly posted my password! >: (

    Naw, just kidding man. : )

    Great article though.

    I use the LastPass to generate 25+ passswords for my logins, and my master password is much higher. Yeah sounds difficult to remember but its something that i will never forget bar having amnesia. Even then i have something physical to point me in the right direction.

  32. LouisMarinier

    As Ashraf pointed out, make your critical passwords, that is, your bank account (this always should be the only time & place you use this specific password) at least 12 characters (actually my studies show 9 characters using a ‘nonexisting-word’ with a mixture of upper & lower & special characters and number to be a solid and brute force unbreakable password). Use KeyWallet (the best & most convenient password manager I’ve tried, amongst all the other popular and also lesser known ones, after more than a decade I still use it) & make that your critical password nr 2 to remember, different from your banking password, which is the one password which should not even be inside your password manager. Inside KeyWallet you can go berserker when setting passwords, for you don’t need to remember any of them — and it allows you to backup your passwords in a KeyWallet backup file (obviously solidly encrypted) which is cleverly exported and imported out of and into KeyWallet, without any other program being able to read the KW backup file.

  33. Thomas

    I think people should use their strengths with passwords, and not ply to the weaknesses of technology, by using more complicated technology. Get a system, and keep to it. For example if you can easily recall movies, use movies:

    eg – gonewiththewind1956
    hint – I dont give a damn

    if you can easily recall sports, use sports

    eg – camesecondin1996superbowl-PittsburghSteelers
    hint – lost the ‘eat my hat’ bet

    if you can easily recall phone numbers, use phone numbers

    eg – terry+44915462251mobile
    hint – he broke my favourite golf club

    if you can easily recall cars, use cars

    eg – chryslerdodge1988rustbucket
    hint – first car

    You remember in human terms what, when combined, is terribly difficult to guess in computer terms.

    Simple is good.

    Caio.

    T

  34. Darcy

    :) I use Sticky Password for any online logins required but to open my computer or sticky password itself I use a fingerprint scanner. It came built into the computer. There is a master password of course, which I can remember easily but uses some of the tricks mentioned above. Since I never actually enter it though, it’s relatively hard for someone to discover.

    One trick I used with my nephews, when they were grounded from the computer. I took a bonus card out of my wallet and used initials for the store plus the last 8 digits of the card code. Substituting special characters as described above. That way I had a perfectly camouflaged copy of the password in my wallet. Nobody knew that I did it that way let alone which card I used. Their computer accounts have limited privileges anyway and I was only locking them out of it until they were ungrounded.

  35. William R Cosgrove

    Hello,

    Well, I simply want to offer some hints;

    1) Never use just (1) password generator.
    2) Steer away from using online password generators.
    3) Periodically change-up your passwords; you determine the time interval.
    4)Unless absolutely necessary, do not use use just letters, numbers, upper/lower casing but symbols of various kinds if you can.
    5) Make passwords lengthy; say between 15/17 to 20/25 characters. I mean not to long that you go ballistic or blind.
    6)Never keep data like passwords stored on your internal hard-drive.
    7) Keep passwords stored on portable devices like a flash drive/thumb drive, CD (RW) or an external hard-drive.
    8) If that is not good enough, I print out hard-copies of my passwords and tuck them away for safe keeping. Sometimes I keep multiple copies. Whenever I make any changes and/or additions, I simply do what I have got to do. Hey, some things take alittle work.
    9)Maybe you want to consider keeping passwords stored on your smart phone/cell phone; with encryption of course.
    10) I always keep my many passwords stored away in my wallet.
    11) There are (3) words I want you to remember; “LENGTHY, DIVERSE & ENCRYPTION”!!!
    12) I would suggest you get the best internet security program you can get; hint; I do not; have not nor will not pay for an “Internet Security Suite” package when I know what I know. Believe me, knowlege is precious and expensive; and wise are the people who possess it. I know where to go to get it. If you are smart, you will not have to pay a dime for this type of software. A little word of advice; “KEEP YOUR EYES OPEN”. There is much treasure found in these (3) little words; “FREEBIES, GIVEAWAYS & PROMOTIONALS. But, I will not disclose to any of you where I navigate to regarding this matter. That is my secret! But, by now you should have somewhat of an idea of at least (1) site I am acquainted with.
    13) I always make it a habit to store & save (2) things on a CD for archival purposes; “Registration codes/licenses & software installers. When it comes to security of this type, it can really help somewhere down the road if disaster strikes.
    14) You might want to keep in mind, these (2) names; “STEGANOS SS 12 & STICKY PASSWORD”!!!

    Have a wonderful New Year!!!

  36. Godel

    I disagree with some of what Ashraf has said.

    My advice is to get a password manager and set one kick-ass password to unlock it. This is where you want to go all out on a long, random looking password, or a longer pass phrase. I use the donation-ware Keepass, but there are dozens of free and commercial password managers out there.

    Next, computing platform permitting, get the PasswordMaker add-on to Firefox to manufacture your passwords. There is also a simple Windows stand alone version for the desk top, in case you can’t use Firefox.

    Set PasswordMaker to the Lowercase-Uppercase-Numbers character set and use the same password as for your password manager to keep things simple (optional).

    My reason for not using special characters is that some web sites won’t allow them and banking sites are often the worst. The reduced character set is equivalent to 6 bits per character and adding special characters adds just 0.6 bits more to that, so adding one more character for every 10 in your password is enough to compensate.

    The advantage of PasswordMaker is that it creates random looking passwords via hashing your password with the website address, but you can recreate them at any time if you are away from your password database. This may also be useful if you wish to switch to a different password manager. I don’t believe this is any less safe than using fully randomized password creation, providing your master password is a good one.

    Once you are using a password manager, there is no difficulty in using a different password for every account, the software memorises it for you.

    Lastly backup, backup, backup your database. Store one or more copies off-site at a relative’s place or in the cloud. It doesn’t matter if they fall into “enemy hands” as they are encrypted by your master password. Bruce Schneier recommends writing your master password down just in case. He keeps his in his wallet. You could obfuscate the written version if security worries you.

    Store a copy of the master password with instructions with your will at your lawyer’s office. If you’re hit by a truck, this could make it much easier for your loved ones to clean up your affairs.

  37. vyverjet

    @Frank:
    I can fully understand the travails of typing in a P-W every time! Hey, i am 49 years and getting on! Many websites(email sites to be specific) allow Cut&Paste ,but http://www.zoho.com does not! I consider that strictness on the part of the email site is proof enough of their commitment!! Has anybody come across sites like that?
    Regards,
    vyverjet.

  38. Frank

    Dear AShraf
    thanks for your reply,
    At my age cut and paste is much more effective that retyping three times because of dislexia, fumble fingers etc (done here already), AND learning to use a new software is also a pain,
    In many years from now you will understand what I mean………. best regards

  39. Clodmore

    Ashrof,

    Thanks for mentioning that RoboForm was up to version 7, as I was stuck on version 6.10. I must have registered RoboForm eons ago (yes, I’m that old!) and received a “life time” update package. I just updated and it was free. I’ve never paid for any RoboForm updates. It makes updating an easy choice.

    Again, thanks.

  40. vyverjet

    Passwords come in three strengths.
    1) Eight scrambled—> 0OO`8V;.
    2)Thirteen scrambled and——–> _$Kk–Xt6~!/”
    3) Twenty one and above (scrambled)——–> Q,>{OOo0Af+D]:3g”“”//1

    Vital points!
    1) Unless you have a good Keyscrambler like the Zemana (which you should grab from dottech) OR Keyscrambler Pro,if someone is intent and focused on your keystrokes ,the whole effort goes waste!

    2)Password managers like Roboform and Lastpass serve you very well! The MASTER PASSWORD (sorry for the bold type) should be more than Twenty one characters and you have to store it on ” “hardware” like on a paper which should be stored in a place accessible only to you! I store all passwords including the Master in a safety vault and i have “memorized” the master P-W thoroughly!
    I use LastPass.
    3) I have taken a xerox copy of all the passwords (after typing them “back to front” and kept them in my draw which is locked!

    4) Never store these on the Lappy or PC (guess it goes without saying).

    5) We are most “VULNERABLE”,when we use simple passwords for one or two sites ( for example,and medscape.com and/or (WESTERN DIGITAL) https://websupport.wdc.com) and that one chink in the armor is sufficeint to infiltrate your system!The first site b’cause i am a Doc’ and the second b’cause WD has it’s own Backup wizard and this lap comes with a WD.

    5) Now coming to Usernames, that will become a problem area only IF your password is not strong and Stealthy!
    Who wants to remember a username like vyv_er-jet(even i can’t remember it!) or dr.vvz( i can tell you that people are so interested in themselves, except Assange possibly)

    6) I honestly do not know about virtual Keyboards,but Kaspersky has one!Zemana can protect against screen captures!

    7) I change the passwords of gmail,hotmail and zohomail, once in Six months!
    Regards,
    vyverjet.

  41. Ashraf
    Author/Mr. Boss

    @Sparky: Thanks for the tip. Anything special about that particular password generator that others don’t have?

    @Frank: Is it effective? Eh, yeah I guess. Is it cumbersome? Yeah! Dude if you are worried about keyloggers, you can

    1) Use KeyScrambler
    2) Use a password manager like Roboform, LastPass, or KeePass. The password managers paste in passwords for you so keyloggers are useless.

    I am not trying to belittle you or anything; I just don’t see the sense in doing what you do when there are so many useful software out there that can help us beat keyloggers.

    @Locutus: Clever borg, very clever.

    @njwood60: Roboform actually can – you just have to pay extra for mobile integration, haha.

  42. njwood60

    @Ashraf: KeePass may not be as good as roboform but I can use the password file on my phone. If Roboform can’t do that then doesn’t matter how good it is on the PC
    Browser integration is fine, but I do use a Firefox addon: “Hostname in Toolbar”, which fills the URL into the title bar, to help KeePass recognise the page you’re on.

  43. Locutus

    @Ashraf: Yep. I used to use the same password on ~30 sites. Then I smartened up, now the original password is my throwaway password. On the sites that I cared about, I made variations of it.
    Here’s how I made it:
    penGAW:ads3
    pen=first three letters of my username
    GAW=name of site (Gawker)
    :=special character, also used in original throwaway
    ads3=part of the throwaway password.
    (username)(site):(original password). That simple!

  44. Frank

    Good work Ashraf, but all this work is useless if you happen to have a keyboard recorder in s trojan in your computer.

    In order to try and combat this possibility I do the following

    I have part of my pawwsword written in a notepad file that I practically open every time
    The complete password is made up by the partial password plus one ot two characters before and after the partial one

    When I enter the password in my bank account I type the extra charachers – copy and paste the partial password and type the remaining ones.

    I have been doing this regularly withou problems BUT I AM NOT SURE IF THIS METHOD IS REALLY EFFECTIVE AGAINST KEYBOERD LOGGER SOFTWARE.

    That is why I am describing this to you asking your opinion, can you tell me if this is a good measure or anly in my imagination

    many thanks and best regards

  45. Ashraf
    Author/Mr. Boss

    @njwood60: Ah KeePass. Back when I was searching for a password manager, I dismissed KeePass because it had poor integration with browsers. However, that was long ago – has it improved? Not saying I will be using KeePass (it is hard to switch password managers once you have started using one) but it would be interesting to write an article on.

    @David Roper: I never tried LastPass (the idea of storing my passwords on the cloud just isn’t a comfortable one) but I did try KeePass. Roboform > KeePass any day in my opinion… or at least that is how it was two years ago; not sure now.

    @redmaledeer: Noooo Jedi mind tricks!

    @Bruce Fraser: This is very true.

    @a simple happy man: =O Too complicated for little ole’ me, haha.

    @prema: I believe they are similar products, yes.

  46. a simple happy man

    Hi Ashraf and all

    Creating strong and long passwords that are easy to remember is quite simple and you can do it without having to write them all down.

    All it takes is a Personally Adjustable Method or a “PAM”.

    In a PAM you choose a set of numbers, a set of characters, a reason or use of the password, a name and/or a place whereyou are using it and a capital letter or two.

    For example if I take someone’s birth date as 28th December 1957
    (preferably use someone elses and not your own
    even though it is very easy for each of us to remember our own
    or pick some special date for you like 4th July the year your first child was born etc).

    In numbers this is 28121957 which is already an 8 character length password
    and depending on the choice of the person it can be written in different ways
    like 28/12/1957 or 28\1957\12 or 1957\28\12 or 1957/12/28
    and each different way can be remembered by what you are using the password for:

    ie, 28\12\1957 can be for bank accounts
    28\1957\12 for email accounts
    1957\28\12 for online software accounts
    & 1957\12\28 for online shopping accounts.

    The next thing to do is to add in a couple of special characters like # @
    eg, #28\12\1957@ then what type of account it is for
    eg, #28\12\1957@email or #28\12\1957@software followed by another special character+
    and we have #28\12\1957@email+ and #28\12\1957@software+

    and then we add in where we are and the example I’ll give here is dotTech.org
    so then we can have #28\12\1957@website+dotTech.org
    and the next thing is another special character at the end, one that Ashraf likes a a lot
    and we have now #28\12\1957@website+dotTech.org:-)

    and finally we add in the capital letters (or even take some away) so for a password for signing into dotTech we can end up with a PAP (Personally Adjusted Password)
    that is #28\12\1957@WebSite+DotTech.Org:-)

    or with only the end letter of words capitalised it could be
    #28\12\1957@weBsitE+doTtecH.orG:-)

    My whole point is that you are building your own password in blocks of digits/characters/names that have some form of meaning for you and are therefore easy for you to remember adding in special characters and capitalisation according to simle guidelines/rules that you make up yourself that stay the same but the password changes and is unique according to where you are using it and what you are using it for .

    But the most important rule is that You tell no-one what your PAM (Personally Adjustable Method)
    is and that way all your PAPs (Personally Adjusted Passwords) will be unique and safe and secure!

    Happy Holidays, stay safe, stay secure

  47. Bruce Fraser

    Ashraf,
    Good information.
    Just one little comment on the last paragraph: “Life would be grand if we didn’t have punks trying to access our accounts.”

    Nowadays, the real trouble is not some punk in Mommie’s basement, but professional programmers working for organized crime. It’s a huge and immensely profitable business.

  48. redmaledeer

    A small but (for me) very useful aid to remembering passwords, is that a phrase can be a mnemonic for remembering a password, and the phrase is easier to remember. For example, “Four Score and Ten Years Ago” yields the password fsatya. This can be improved in ways given above.

    Another gimmick is that rather than remembering a secure and highly scrambled password, I find it easier to remember a simple password plus a simple algorithm for altering it. For example, the highly insecure password “redmaledeer” can become “sggqfrllnoc”. It is left as an exercise for the student to figure out what the algorithm was. It’s actually simple.

  49. David Roper

    Roboform is what I came to use when I finally realized I could not remember all those cute password names.
    I never have regretted it. Tried the freeware ones like Keepass and Lastpass but keeping going back to Roboform.

  50. njwood60

    Thanks for the article Ahsraf

    I use KeePass as my password manager (http://keepass.info/)

    It has a generate feature for password and auto-type to fill in the login form on a web page

    It also has an “auto-type window” feature which allows you to specify a browser title (or part of the title) so that keepass can recognise the website you’re on and insert the correct username and password when you hit a hotkey combination

    To solve the problem of not having the passwords when you’re not on your computer, I have KeePassMobile on my phone (http://keepassmobile.com/) It is written in J2ME so runs on most phone that support Java. All i need to do is copy the KeePass file from my PC to the phone to allow me to read my password file on my phone. So just one password to remember for the software.

    And yes I now have a different password for every login

  51. Ashraf
    Author/Mr. Boss

    @Locutus: Did you think of that password yourself? I am impressed =P

    @Greg Bern: RoboForm Pro doesn’t have free updates for life – you need to pay for major upgrades. RoboForm Free does, of course, but that only allows you to store 10 logins and that just isn’t enough for me.

    $29.99 indeed isn’t a lot considering how useful the tool is. However, if upgrading, you can get it for $19.99 so no need for Steve’s coupon. Or, you could use LastPass.

  52. Greg Bern

    @Ashraf:

    I too love rb , free updates for life if paying so just click on icon in taskbar to update free.free 30 day trial but after that you have to only use 10. so could use for banking few more sites for free. only 29.99 but has coupon on steve bass newsletter 10% off.

  53. Locutus

    Firefox manages passwords just fine for me, thanks.
    Also: here’s a really good example of a secure password.
    penGAW:ads3
    It’s my old Gizmodo/Lifehacker password. (Of course, I have a new one now. :P) Notice how it has a special character, a number, and several capitals.
    Learn from when I used to use the same one password on all accounts people!

  54. Ashraf
    Author/Mr. Boss

    @Jyo: Well I have been meaning to write such as article for a while, but yes the Gawker breach is what has finally forced me to sit down and write this.

    Nothing is hacker proof. As lame as it may it sound, where there is a will there is a way.

  55. Jyo

    I’m guessing this post is a result of the recent Gawker attack? Can’t imagine the mess they’re going through right now. I’m quite surprised that such a large organization would have such a big loophole in their security system (or these hackers really know their stuff). This goes to show how cloud-computing can become disastrous because of the bad guys out there.

  56. Ashraf
    Author/Mr. Boss

    @karen: Roboform Pro FTW! I use it and love it, too. I am actually trying to see if I can get SiberSystems to run a promotion of it on dotTech so everyone can experience Roboform-goodness.

    The only problem with using Roboform (or a any password manager) to generate complex passwords and remember them for you is when you don’t have access to the password manager (which is a possibility, regardless of how integrated, connected, and cross-platform the managers may be) you are SOL. Then again, nothing is perfect.

    Karen are you using the new v7? I am debating if I should pay to upgrade to it or not.

  57. karen

    Great advice!!

    I’ve personally given up on trying to remember passwords and usernames. I’ve been using Roboform for a while now and I like it. I have the app installed on my personal laptop, but use the bookmarklet for my browser at work. The bookmarklet is secured by a Roboform online userid/password and I still have to enter my master password to access any logins.

    It works great. And for the installed version at home, even if you go directly to the website and try to just type in the password, it doesn’t work unless you enter the master password.

    And it has a password generator where you set the length, and complexity. So I have lots of 15 character passwords with upper/lower, numbers and special characters and I only have 1 (or 2 if using the bookmarklet) passwords to remember.