by Fernando Groso

Created on: October 24, 2008

Creating passwords for a fairly big amount of accounts and services is a normal process nowadays, considering we need them for nearly all Internet services (e-mail accounts, forums, online games, e-banking) and for some programs running in our own computer (back-ups, protected documents or spreadsheets, etc.). Passwords protect our sensitive information from being stolen by other people; however, access to your account may still be compromised if the password you chose is not strong enough. Weak passphrases are prone to get hacked easily by a brute-force or dictionary attack, in which the attacker will try to guess yours by trying a big list of words one by one, until a match is found.

So now you might be wondering, what makes my password secure? Well, it's a combination of different factors. First of all, its randomness is a crucial aspect. Something describing you, as your name, birthday or favourite sport or music group is really useless as a passphrase. A random character sequence is almost invunerable to dictionary attacks. If you find it hard to remember a random sequence, you can take one of your favorite books or songs, and memorize the first letter of a sentence you know by heart from there.

The length of the passphrase itself is also important. If an attacker tries to guess it by trying a different combination of characters each time, they will have to make 128^n guesses (n being your password's length, and assuming you can use 128 different characters (ASCII, they are exactly 128 because they fit into a byte) for it). So if your passphrase is 10 characters long, an attacker would have to make 1180591620717411303424 guesses (actual number, it's 128^10).

Another important issue to take into account is the usage of numbers, punctuation marks and capital letters. Strong passwords use and mix the three of them.

Let's see some examples of weak and strong passwords:

Weak: john1, my_password, 123456789, ledzeppelin

Strong: Ap0!mzXc@, Q3QWW.!"#, lm&b9097*

Memorizing a strong passphrase is certainly not an easy task. However, memorizing ten of them is nearly impossible. That's why I use a password manager called KeePass, which is really great. Using a master password you give to it, it generates random and really strong combinations of the length you want, and saves them for you. You can save all your passphrases there, and have them copied to the clipboard with just a double-click. It works like a charm, and it's free. You can download it from here.

These are the basic rules you should follow when creating a new password. Keep in mind it's highly recommended that you use different passphrases for each service or account you use, because if someone takes control of one and you use the same for all accounts, then all of them will be compromised.

Learn more about this author, Fernando Groso.
Click here to send this author comments or questions.