≡ Menu

The Ultimate Guide for Creating Strong Passwords

Strong Password
 

“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months” – Clifford Stoll

 
When you create an account on a website, you may have the “password dilemma” for a second. The dilemma is whether you should provide a weak password that is easy to remember or a strong password that is hard to remember. Following are the rules and guidelines that may help you in overcoming the password dilemma and help you in creating a strong password that are secure. These are the things that I’ve used over years based on my own interest in the area of keeping the password safe and secure.

I. Two essential password rules:

Following two rules are bare minimal that you should follow while creating a password.

Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better.

Rule 2 – Password Complexity: Should contain at least one character from each of the following group. At least 4 characters in your passwords should be each one of the following.

  1. Lower case alphabets
  2. Upper case alphabets
  3. Numbers
  4. Special Characters

I call the above two rules combined as “8 4 Rule” (Eight Four Rule):

  • 8 = 8 characters minimum length
  • 4 = 1 lower case + 1 upper case + 1 number + 1 special character.

Just following the “8 4 Rule” will be a huge improvement and instantly make your password much stronger than before for most of you who don’t follow any guidelines or rules while creating a passwords. If your banking and any financially sensitive website passwords doesn’t follow the “8 4 Rule”, I strongly suggest that you stop everything now and change those passwords immediately to follow the “8 4 Rule”.

II. Guidelines for creating strong passwords:

  1. Follow “8 4 Rule”. Like I mentioned above this is the foundation of creating a strong password.
  2. Unique Characters. Should contain at least 5 unique characters. You already have 4 different character if you’ve followed “8 4 Rule”.
  3. Use Password Manager. Strong passwords are hard to remember. So, as part of creating a strong password you need a reliable and trustworthy way of remembering the strong password. Using password management tool to store passwords should really become a habit. Anytime you create a password, note it down on a password manager tool, that will encrypt the password and store it safe for you. I recommend Password Dragon (Shameless plug. I’m the developer of this software), a free, easy and secure password manager that works on Windows, Linux and Mac. This can also be launched from the USB drive. There are lot of free password manager tools available, choose the one that best suites your taste and use it.
  4. Use Passphrase. If you don’t want to use password management tool, Use Passphrase to easily remember the passwords. You can use initials of a song or a phrase that are very familiar to you. for e.g. “Passwords are like underwears, change yours often!” phrase can be converted to a strong password “Prlu,Curs0!”

III. Guidelines for avoiding weak passwords.

Avoid the following in your passwords. Even part of your passwords should not be anything in the following items.

  1. Password same as username or part of the username
  2. Name of family members, friends or pets.
  3. Personal information about yourself or family members. This includes the generic information that can be obtained about you very easily, such as birth date, phone number, vehicle license plate number, street name, apartment/house number etc.
  4. Sequences. i.e consecutive alphabets, numbers or keys on the keyboard. for e.g. abcde, 12345, qwert.
  5. Dictionary words. Dictionary words with number or character in front or back
  6. Real word from any language
  7. Word found in dictionary with number substitution for word look alike. for e.g. Replacing the letter O with number 0. i.e passw0rd.
  8. Any of the above in reverse sequence
  9. Any of the above with a number in front or back.
  10. Empty password

IV. Common sense about passwords:

All the following points are nothing new and very much common sense. But most of the time, we tend to ignore these items.

  1. Create unique password every time. When you are changing a password for an existing account, it should not be the same as the previous password. Also, do not use incremental passwords while changing it. i.e password1, password2 etc.
  2. Change your passwords for all your accounts once every 6 months. Since passwords have a fixed length, a brute-force attack to guess the password will always succeed if enough time and processing power was available to the attacker. So, it is always recommended to change the passwords often. Schedule an recurring appointment on your calendar to change your passwords once every 6 months.
  3. Never write down your passwords. Creating a very strong password and writing it down on a paper is as bad as creating an easy to remember weak password and not writing it down anywhere. There are several interesting surveys done on this subject, where it was found that several people write down the password and keep it somewhere next to the computer. Some of them think keeping the post-it note below the mouse pad is secure enough. You should never write down the password on a paper. If you want to carry your password along with you all the times, use a password manager tool that runs from USB stick and take that with you all the times.
  4. Don’t share with anyone. Anyone includes your friends and family. Probably you might have heard the phrase “Passwords are like underwear, don’t share with anybody”. We teach our kids several things in life. Teaching them about online safety and not sharing the password with anybody should be one of them.
  5. Never keep the same password for two different sites. It is very tempting to create one set of passwords for all your emails, another password for all the banking sites, another password for all the social networking sites etc. Avoid this temptation and keep unique passwords for all your accounts.
  6. Don’t type your password when someone is looking over your shoulder. This is especially very important if you type slowly and search for the letters in the keyboard and type with one finger, as it is very easy for someone looking over your shoulder to figure out the password.
  7. Never send your password to anybody in an email. If you follow #3 mentioned above, this should not be an option. But the reason I’m specifically saying about this is because several hackers send emails as a support person and asking for your user name and password through email. Legitimate website or organization will never ask you for your user name and password either via email or over telephone.
  8. Change password immediately when they are compromised. Even if you have the slightest doubt that someone might have stolen your password, change it immediately. Don’t even waste a minute.
  9. Don’t use the “Remember password” option on the browser without setting the Master Password. Don’t use this feature of the browser to store your username and passwords without enabling the “Master Password” option. If you don’t set master password on the firefox browser, anybody who uses your firefox browser can see all the passwords that are stored in the firefox browser in plain text. Also, be very careful with this option and say ‘Not Now’ in the remember password pop-up, when you are using a system that doesn’t belong to you.
  10. Don’t type your password on a computer that does not belong to you. If possible, don’t use someone else computer that you don’t trust to login to any website, especially to very sensitive website such as banking. It is a very common practice for hackers to use key loggers that will log all the key strokes on a system, which will capture everything you type including the passwords.

Please leave your comments about this post. If you follow different methods or rules for creating a strong password, please share them with everybody in the comments.
 
If you like this post, please bookmark it on del.icio.us and Stumble it.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • ajay June 9, 2008, 4:52 am

    this is a real good guide
    you have coverd each every point in a very good manner

  • Shilpan | successsoul.com June 9, 2008, 5:23 pm

    Ramesh,

    Excellent article on password management. The title truly stand s for its value. It covers everything related to the password management.

    Shilpan

  • Ajay June 9, 2008, 9:46 pm

    thanks ramesh for commenting on my.
    can u please subscribe to my blog rss . i have already subscribed to u r blog rss to keep in touch with each other

  • A Suresh Kumar June 9, 2008, 11:31 pm

    I really appreciate your good work for providing some valuable tips regarding secure password.

    Its up to the users to think whether their current password is secure or not. If you think its not? please go ahead and make it secure.

    Don’t allow any intruders to access your site/bank accounts.

    i wrote a similar article regarding “how to strength your password”. you can visit here

    http://suresh-mobileweb.blogspot.com/2008/06/google-warns-against-weak-passwords.html

  • Moritz June 17, 2008, 2:19 am

    Nice but not realistic.
    First: I’m subscribed to at least one hundred websites. I’m sure that concerns everybody. How should I choose each time a new password?
    Second: saving all passwords in a pw manager tool, means to concentrate the risk on that tool. Who guaranties that the tool cannot be hacked?

    I agree to the rest of the article.

  • Ramesh June 22, 2008, 3:12 pm

    @Ajay,

    Thanks for reading my post. I have subscribed to your blog also.

    @Suresh,

    I read your article on “how to strength your password” and it is very well written.

    @Moritz,

    Thanks for posting your comments. Most of the password manager uses very good encryption algorithm, which makes it very hard for someone to crack. In my Password Dargon, I have used Blowfish encryption.

  • Silki July 7, 2008, 12:16 am

    Ramesh, Nice stuff.
    Definitely adds point or two for me to remember.
    Thanks

  • Emil Beli August 13, 2008, 6:25 am

    Good article.
    However, one can get scared reading part about strong passwords.
    I believe it might be suggested that there are very strong passwords easy to remember.
    Someting like:

    7LittLE_Hobbits!
    Thisis1of_GoodPasswords!!
    isMyPet_aCat?

  • mk_michael December 6, 2008, 4:36 pm

    Very helpful how-to. I’ve send you a ping to that post.

  • Lisa Moshfeghi June 9, 2009, 11:46 pm

    I still think it’s ok to write down a long password on a piece of paper and keep it safe. Good article though.

  • kurinchi blogger June 19, 2009, 10:39 am

    Hi,

    How to write a program that gets executed on Window, Linux, Unix? Is it a .exe file developed using c/c++?

    As you mentioned about Password Dragon, i thought to ask you about it.

    -Kurinchi

  • Flynets June 25, 2009, 6:59 am

    for automatic generation of strong password you can use:
    -pwgen
    -gpw
    -passwdgen

    read the manual for better options…

    bye

  • Ramesh Natarajan June 25, 2009, 9:45 pm

    @Silki,
    Thanks for the comment. I’m glad you found few points in this article helpful.
     

    @Emil,
    Easy to remember strong password is exactly what I’ve mentioned in “4. Use Passphrase” under the section “II. Guidelines for creating strong passwords:” in this article.

     

    @mk_michael,
    Thanks for mentioning this article in your blog and sending the ping back to this post. I really appreciate it.

     

    @Lisa,
    I have to disagree with you. Writing down password on a piece of paper is never a good idea. In my opinion, you should never write down password on a piece of paper.

     

    @Kurinchi,

    I developed password dragon program in Java Swing, which makes it as a multi-platform software that runs on Windows, Linux and Mac.

     

    @Flynets,

    Thanks for referring pwgen, gpw and passwdgen programs. They are definitely great programs to generate random password on Unix environment.

  • Argo July 22, 2009, 6:30 am

    I do not like long passwords. I also use a weak password for multiple games, or temporary sites

  • nathan September 8, 2009, 7:39 am

    awesome

  • Shanay-nay Brown Bon qui-qui September 8, 2009, 12:15 pm

    OMFG thIs is likee soo smart yo! I niguhh boo

  • Srinivas March 24, 2010, 8:59 am

    Hi Ramesh,

    There is a online webtool that checks the strength of the password that incorporates the tips you have suggested: http://www.passwordmeter.com/
    I trust the owner of the site is not logging/eavesdropping the passwords tried on the site.

  • Mailing Fulfilment Services March 17, 2011, 5:21 am

    My rule is 12 character passwords, 6 letters and 6 numbers. I use this policy for each of my passwords.

  • Randy Spydell July 21, 2011, 12:00 pm

    Protecting financial logins?
    What’s your advice on how to effectively put pressure on web sites to improve their back end for strong passwords? I have been singularly ineffective in getting my login credentials to my retirement accounts at two of the country’s largest custodians (Fidelity and Vanguard) to conform to reasonable 21st Century standards. Both these firms map upper and lowercase letters to the same characters for passwords. I had been using them for years before I discovered this, it was so astounding that I couldn’t believe it at first! Vanguard also limits their passwords to 10 characters, Fidelity limits theirs to 12, and they give me blank silence on the telephone when I ask about passphrases and raising the character limit to 30 or 40 characters (or 255). Fidelity does not allow special characters, and Vanguard’s choices have only recently (2010) been implemented and are limited.

  • Frank Lee August 9, 2011, 2:31 pm

    Like Randy I’ve encountered too many sites that don’t allow passwords longer than 8 characters. Verizon actually uses a 4 digit PIN for a lot of stuff.

  • Pete R. October 28, 2011, 4:39 am

    Password strength web comic strip: here

  • Baruch November 24, 2011, 5:53 pm

    Excellent, thorough article. Thanks. However, I’d like to make a few comments…

    1. The better the password, the harder it is to remember. At some point a person is faced with the choice of risking forgetting the password, or writing it down.

    2. I doubt whether many people use a unique password for each site. I use one general, fairly easy one for access to free accounts on Websites. There is no way I’m going to try to remember dozens of passwords. If the password is broken, then the cracker gets access to free accounts, which he could have on his own. For more secure services, I use a harder password. For services involving money, I use unique, difficult passwords if I can. But, my own bank limits passwords to 8 characters, alphanumeric only (!).

    3. Changing every six months is impractical. If you do the math, you would see that you’re suggesting that a person who has, say, 10 accounts (not at all unlikely) would need to have ten unique, difficult passwords that he’d need to change twice a year. Some people have several times this number of accounts. The burden on memory, or likelihood of forgetting a password, becomes unacceptable.

    4. A password manager is great, but if the user forgets the master password, he’s out of luck. Also, it is not impossible for someone to crack the master password, giving him every password.

    I suggest that a person go ahead and write down all his passwords. Instead of sticking this list on his computer, he can put it in his wallet. Maybe he could place a copy in another safe place, in case something happens to his wallet. This way, his passwords would be as safe as his credit cards or his cash. If he is clever he might do a bit of scrambling to make it less obvious that it’s a list of passwords.

  • Smitha GS December 20, 2011, 5:23 am

    All your tips are very useful. For a beginner like me, its a boon from the God Himself 🙂

  • dingo March 7, 2012, 10:26 am

    “Exempli gratia” means “for example”. So this “for e.g.” is like writing “for for example”.

  • Zalmoksis March 27, 2012, 5:59 am

    What is a stronger password?
    *eight random characters like “oDF4#f9s”
    or
    * a sentence like: “Pink unicorn swims in a river of milk.”

  • Randy Spydell March 27, 2012, 1:08 pm

    Baruch, I disagree that better passwords are harder to remember. See Zalmoksis’ comment about Pink unicorns’ swimming habits. And writing them down and storing that written list anywhere but a darn safe place (home safe or bank safety deposit box) is not a good idea.

    I can think of many passphrases that are not that hard to remember and pretty darn hard to crack, e.g.
    1. SummerStarts_Jun21-most0theTIME
    2. It-was_34below=2005Dec08
    3. SendMomACard-everySep25AnnUAlly
    and the hint phrases can be easy to remind and hard to decipher, for the above three:
    1. begin long day season
    2. weather event first month of new job
    3. maternal love duty each year
    Because each hint is something that points me in the right direction, even if I don’t use the passphrase for weeks or months, the hint reminds me of which phrase it is.

    When I gave talks to university parents about encouraging their students to be secure and use long passphrases, I ended the discussion by pointedly addressing the dads in the audience, suggesting they adopt long passphrases for their own accounts. Then I write on the board the following, “ImarriedSusan_15-Jun-1984” and suggested that was a passphrase they’d NEVER forget and had multiple characters from each of the four character classes. That usually evoked laughter from the dads AND the moms. Point made.

  • Alan June 17, 2012, 7:35 am

    Thanks for the useful advice clearly explained. And thanks for the ingenious Password Dragon; it makes following your recommendations much easier.

  • Saint DanBert June 25, 2012, 11:59 am

    You don’t mention “pronounceable” passwords.

    Studies of how human memory works found that you can more easily remember something that you can pronounce — that is, say out loud. Couple this with the “chunking” found in telephone numbers and similar strings, and we have a plan for making (1) longer passwords, that (2) we can remember.

    1. create several random syllables: foo, bah, dip, doh, ras, tup, …
    2. use syllables in random order until you have some “minimum” length
    bah-tup-ras-pim
    doh-foo-sip-vop
    3. use digits and punctuation instead of the hyphen as syllable separators
    bah7tup*ras#pim
    doh$foo&sip6vop

    Now you remember your “saying” — bah-tup-ras-pim — and how to punctuate it — 7… *… #. Viola!! A secure password you can remember.

    ~~~ 8d;-Dan

  • Biff Martin August 8, 2012, 3:53 pm

    My favourite way to remember passwords is to write them on the palm of my hand, in permanent ink.

  • Biff Martin August 8, 2012, 5:40 pm

    What’s a passphrase? It could be something like “Your Momma Wears Jack Boots When She Rides her harley”

  • George karpel September 1, 2012, 10:37 am

    Good article … I use a different password / passphrase for each site that I deal with if credit card numbers, or bank accounts are involved. ( If one is compromised, they don’t all get raped ) The biggest problem, as mentioned before, is that some of them restrict passwords to less than 10 letters & numbers (only). My shortest email passwords are 12 characters long & have symbols embedded.
    – Email allows better protection than banks & credit card companies ?
    What’s wrong with that picture ?

  • Ben September 18, 2012, 12:06 pm

    ThankYou.,This realy helped with my homework with school,and its all VERY True im 12 and i used to use my password for everything,but then someone got hold of my assword and had everything so i cahnged as soon as i got to a computer(laptop)

  • D Johnson October 2, 2012, 7:27 am

    One further idea that gets me ‘strong’ ratings — find a foreign language dictionary and plug in something in a second language.

  • thomas October 6, 2012, 10:37 am

    Actually your 4 rule isn’t necessarily a good way of doing it. See here.

    Passwords should be easy for humans to remember and hard for computers to guess, therefore passphrases are better than passwords.

  • john November 12, 2012, 12:10 am

    I have also read about using patterns to enable a use to create hard to crack, easy to remember passwords. A pattern, for example may be to invert the first two letters of the website, add two numbers and a symbol and then complete the word. For example:

    gmail become

    Mg12&ail

    yahoo becomes

    Ay12&hoo

    Following a pattern makes it easy to remember but every one is unique. Then nothing needs to be written down.

    Thoughts? How hard to crack?

  • dragonmouth December 8, 2012, 7:05 pm

    john,
    Go here and stick your passwords in their checker to see how strong they are. I checked the two password you came up with and got scores or 75% and 78% which means they are strong but could be better.

  • Dan Marinescu January 1, 2013, 10:23 am

    Special characters can be used to construct a password?Using letters from other alphabets is allowed?
    Combining an Indian or Old Latin character will be as easy to break?

  • Bubba January 16, 2013, 1:09 am

    Instead of direct personal information, I might instead use the name of my cousin’s car, the initials of my uncle’s favorite football time, or a band that I DON’T like instead of one that I like.

  • Swapnil Ahire March 13, 2013, 5:33 am

    great,,
    i’ll definately make use of it. 🙂

  • leena kaullysing March 23, 2013, 6:21 am

    Very interesting n helpful…..
    I’ll definately do it!

  • Gayan August 6, 2013, 10:50 pm

    Great work……

  • James Clarke August 25, 2013, 9:09 pm

    yes a good clear messsage all the way through. I am experienced but noticed the way your information encouragd me and I wanted to read every word and I did. Thank you and I will use your app

  • Golden John September 27, 2013, 5:50 am

    I accept every thing in this article , but we need to move on higher end cryptology password generator,

    if i suppose give my password is : passw0rd

    P means q ( whatever you assign instead of P )
    w means x (whatever you assign instead of W)

    but you have to set the correct password for this reminder one thing don’t forget the password this is high end method crptology .

  • Enos November 4, 2013, 12:47 pm

    Best guide I read so far! And I have read lots (and written some).
    Some more tips for remembering passwords:
    1) change passwords separately, non all at once
    2) type passwords manually until you remember them (don’t c&p)
    3) use pleasant sentences or memories linked to the asset protected by the password: they are is easier to remember and trigger pleasant feelings when typed 🙂
    4) a 14 character lowercase password is more robust than an 10 character one with mixed case, numbers and digit (24^14 vs 78^10) see also xkcd 936

  • Athu February 17, 2014, 10:33 am

    Another way to remember your PW is to have a Song or a phrase and taking the first or last letter of each word (replacing a with @ or something different) like:

    You to me are everything the sweetest song that I can sing:

    y2m@etsstIcs

  • Pao February 26, 2014, 3:42 am

    This really good guide.the password manager I recommend is keepass, it’s free and opensource.try using it.

  • abhay July 17, 2014, 9:58 pm

    thanks I like it

  • yugendra March 20, 2015, 4:34 am

    Thanks ramesh it is very usefull information.
    One can use following simle linux command to create complex password:
    < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-20};echo;

  • tlhonmey April 9, 2015, 12:19 pm

    Remember though, length trumps character set. Every bit worth of entropy you add doubles the search space. A password of twelve, random lowercase letters is tougher to crack than an 8+4, or even a 10+4. Especially if the latter isn’t completely random.

    If using a pass phrase, remember that languages are based on predictable patterns. In terms of being difficult to crack cryptographically, a word usually provides roughly the same entropy as a randomly-chosen letter. (So you’ll want a minimum of eight words, twelve is better, thirty is best if you can.) The added length does, however, put your password out of reach for any unsophisticated brute-force algorithms that don’t use word dictionaries, so there is still some benefit.

    For unique website passwords, take a hash of the website name (simple character-substitution or reordering hashes are sufficient for this and can be done in your head, on-the-fly) and add an 8-10 character random password. The random password may be reused between sites as the hash will be different, and all total it will be long enough to be difficult to crack if the password database is stolen.

  • Manu January 7, 2016, 7:57 am

    I want one password (uppercase letters ,lowercase letters,numbers and special character) please help me