October 15, 2011

How to choose passwords

All of us who are heavy users of computers and the internet know that we get drowned in the number of passwords we need and that it is hard to keep track of them.

James Fallows describes what he learned after his wife's Gmail account was hacked and gives a list of suggestions for passwords.

The science, psychology, and sociology of creating strong passwords is a surprisingly well-chronicled and fascinating field. On The Atlantic's Web site, we will describe some of the main strategies and the reasoning behind them. Even security professionals recognize the contradiction: the stronger the password, the less likely you are to remember it. Thus the Post-it notes with passwords, on monitor screens or in desk drawers.

But there is a middle ground, of passwords strong enough to create problems for hackers and still simple enough to be manageable. There are more details on our site, but strategies include:

  • Choose a long, familiar-to-you sequence of ordinary words, with spaces between them as in an ordinary sentence, which more and more sites now allow. "Lake Winnebago is deep and chilly," for instance. Or "my favorite packer is not brett favre." You could remember a phrase like that, but a hacker's computer, which couldn't tell spaces from characters, would see only one forbiddingly long password sequence.
  • Choose a shorter sequence of words that are not "real" English words. I once lived in a Ghanaian village called Assin Fosu. I can remember its name easily, but it would be hard to guess. Even harder if I added numbers or characters.
  • Choose a truly obscure, gibberish password—"V*!amYEg5M5!3R" is one I generated just now with the LastPass system, and you're welcome to it—and then find a way to store it. Having it written down in your wallet is one, though the paper it's on shouldn't say "Passwords" at the top. The approach I prefer, and use for some passwords, is to entrust them to online managers like LastPass or RoboForm. Even if their corporate sites were hacked, that wouldn't reveal all your passwords, since the programs work by storing part of the encoding information in the cloud and part on your own machine.

At a minimum, any step up from "password," "123456," or your own birthday is worthwhile.

Finally, use different passwords. Not hundreds of different ones, for the hundreds of different places that require logins of some kind. The guide should be: any site that matters needs its own password—one you don't currently use for any other site, and that you have never used anywhere else.

"Using an important password anywhere else is just like mailing your house key to anyone who might be making a delivery," Michael Jones of Google said. "If you use your password in two places, it is not a valid password."

I asked my experts how many passwords they personally used. The highest I heard was "about a dozen." The lowest was four, and the norm was five or six. They all stressed that they managed their passwords and sites in different categories. In my own case, there are five sites whose security really matters to me: my main e‑mail account, two credit-card sites, a banking account, and an investment firm. Each has its own, good password, never used anywhere else. Next are the sites I'd just as soon not have compromised: airline-mileage accounts, Amazon and Barnes & Noble, various message boards and memberships. I have two or three semi-strong passwords I use among all of them. If you hacked one of them you might hack the others, but I don't really care. Then there is everything else, the thicket of annoying little logins we all deal with. I have one or two passwords for them too. By making it easy to deal with unimportant accounts, I can concentrate on protecting the ones that matter.

Seems like good advice.


Trackback URL for this entry is:


Clifford Stoll, astronomer and author of "The Cuckoo's Egg" once suggested passwords be made up of short but unconnected words that are easy to remember but hard to predict. For example, "earshoegun" or "foxwet1812" make no sense, but contain only three easily remembered elements.

Another point to understand is that encryption systems do not store the password as you know it. What they store with account names is the unrecognizable encrypted form. When you enter your name and password, your password is encrypted and the two are compared. The encryption software will produce different results for "foxwet1812" and "fox1812wet" - they won't just be dissimilar in characters, the encrypted form will likely be of different lengths.

Encryption programs are one-way, meaning encrypted passwords cannot be decrypted, so possessing the encrypted list will do no good. The only way to hack an encrypted password list is to obtain the encrypting program and test by brute force - a slow succession of testing every possible combination of characters, letters, and numbers.

There's also the issue of password length - the longer it is, the harder it is to break. On top of that, a hacker needs the account name, which many nowadays are more than just the person's name, they often include numbers, nicknames, initials or partial names. And finally, most login systems have a "three strikes" rule - if you can't log in successfully within a few tries, it will assume the account is being hacked and prevent further attempts until humans intervene, both the sysop and user.

Just limiting passwords to eight characters of lowercase letters and numbers allows for 36^8 (2,821,109,907,456) possibilities. At 1000 per second, it would take 89 years to find every possible password. If you open that to extended ASCII characters, it would take more than 80 million years to break all eight character passwords. All that, just to get into one person's email, not the world's banking systems.

The chances of someone cracking a single person's account without having the encryption program are so near zero as not being worth considering. As with any security system, the weakest link is human failures, people using passwords that are easily guessed, passwords involving personal information (e.g. friends' names, birthdates, favorite sports teams or musicians, etc.) or leaving their passwords on paper at their desk or at home. A person with a copy of someone's credit report or job application form has a better chance of hacking passwords than the most advanced hacking system invented.

Ahem. Excuse the length of that.


Posted by P Smith on October 16, 2011 08:31 AM

How to choose a password
I understand that to maintain good password is at least combine consists of 25 letters / characters are different, however we are still encouraged to replace them every month and also have backed up all important data, all of it just to anticipate just because the possibilities of this world would occur. my advice is beware! crime is everywhere beware ...

Posted by avviff21 on October 16, 2011 10:27 AM

And of course, xkcd has a good take on it:

Posted by Matt on October 16, 2011 08:07 PM

Interesting post, Mano.

This idea, I think, is seriously out of line with what is possible:

"The guide should be: any site that matters needs its own password—one you don't currently use for any other site, and that you have never used anywhere else.

"Using an important password anywhere else is just like mailing your house key to anyone who might be making a delivery," Michael Jones of Google said. "If you use your password in two places, it is not a valid password." "

A separate password for every site would be, for me, crazy impossible. I think your words about 4 - 12 passwords seems about right to me.

Recently, I've been thinking more along the lines of "passphrases" rather than "passwords" For passwords that require continual change, such as ones at work, lately I've been using the name of whatever book I'm currently reading ... sometimes with deliberate misspellings of the title (substituting "z" for "s", for example) to make it a bit more secure.

Posted by Tim on October 17, 2011 09:38 AM

Now that we all understand how to create strong passwords can someone please tell me how my brain is supposed to remember them ... without writing them down?

Posted by durham on October 19, 2011 09:45 AM