How to choose a strong password

Filed Under: Data loss, Phishing, Privacy, Video

How to choose a strong password
Password security is in the news again, as it is revealed that hackers had managed to break into the accounts of many Twitter users.

Many of the affected Twitter users had previously registered on P2P file-sharing sites - and hackers had been able to enter the sites through a backdoor and grab their account information (including email address and password).

Although a username and password for a torrent-downloading website may not seem very valuable, it does have a significant worth if the same email address and password is being used for a social networking site like Twitter too.

As we've explained before, you should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if they grab your password in one place they can try it in many other places.

Also, you should ensure that your password is not a dictionary word, and is suitably complex that it's hard to break with a dictionary attack.

Here's a video which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Don't delay, be sensible and make your passwords more secure today.

* Image source: canonsnapper's Flickr photostream (Creative Commons)

, , , , , ,

You might like

12 Responses to How to choose a strong password

  1. Tim Cooper · 1741 days ago

    I disagree with "Unique passwords are a requirement, not a luxury". This is not practical, hardly anyone follows this advice, and I'd be curious to know whether Chester Wisniewski follows his own advice in this regard (and if so, how many sites is he registered with?)

    My advice is to have 2 low-security passwords: one widely used one for non-sensitive sites and another less often used one for more sensitive sites, PLUS a unique password for each internet banking/paypal type account.

    And of course all web sites should use salted cryptographic hashes, salted with the username plus a secret site-specific salt.

    • Many password Managers have the ability to be installed on mobile devices making it easy for you to add passwords for your home computer, your work intranet/network/computer and of course other things, making your phone's password hard to guess is much more better.

      making it a habit to throw away your old passwords every 6 months will make the crooks think twice about going against you, using 2 factor authentication for sites that offer it will make it almost impossible to break into and use against you.

      Choose a bank that has security in mind,if your credit card has no chip and they don't use SMS verification for when you're on the phone I would make a complaint, then take my business elsewhere, because whether I'm putting in $30 per week or using it to invest the savings of both my corporation and clients accounts... I want to make sure the money will remain there.

  2. Glen Peterson · 1729 days ago

    I'd take the focus of this article a step further and say, "A good password MANAGER is a requirement, not a luxury." I had to watch the entire video to catch the segue from how to create a password you can barely remember or type, to how to leverage that one good password to let you into all your accounts which have even stronger and totally unique passwords - by using a password manager.

    I think people need to know which managers are the most secure and the easiest to use.
    To that end I have just written a Password Manager Feature Manifesto to help compare one password manager against another:

    A good password manager can reduce the average user's password-related hassles while making them orders of magnitude more secure online.

  3. DutchS · 1503 days ago

    The biggest causes of insecure passwords, besides user laziness, are:
    1. Refusal of some sites to allow numerals, special symbols and punctuation.
    2. Refusal of some sites to allow spaces. A short sentence, even if it's only lower case, vastly increases the difficulty of a brute-force attack.
    3. Refusal of some sites to accept passwords without non-literal characters. They apparently rate security solely on the types of characters, not length. So users are forced to use passwords with hard to remember spelling, even if they're savvy enough to use long sentences instead.
    4. Most mind boggling, some sites set ridiculously short length limits for passwords, 10 or 12 characters.

  4. Chris S. · 1472 days ago

    I have 88 passwords stored in KeePass, which is secured by a long password. The passwords include not only websites, but hardware, like my wireless router. All of the passwords are very long unless the website is too stupid to support long passwords (there are at least two I can think of).

    I've found that I have to memorize 5 passwords using KeePass: one for KeePass, one for the PC at home, one for the Debian GNU/Linux root (admin), one for the PC at work, and one for my encrypted flash drive (using TrueCrypt). I suppose I could keep the root password in there, but that just seems lazy, and when I need it I have to enter it often, so KeePass is more annoying than useful.

    I was also successful at getting my wife to store her passwords in the KeePass database and setting her passwords to long, random digits. She even memorized a long random password for her email. So she has to remember one password primarily (email) and occasionally she needs one from the database.

  5. rick · 1214 days ago

    Passphrases. Simple letter substitutions and special characters are easily guessed by smart password crackers. The only thing that protects you is a very long password and only passphrases can be long and easily memorized

  6. Peter Setlak · 976 days ago

    I would say this is a great video to start. At the very least, it gets users thinking about how to create a stronger password than say, Ch@ngeme1!

    As systems get more powerful and cracking tools smarter, longer passwords (or phrases) will be the required minimum but even then, the dictionaries will store entire popular phrases, quotes, verses & lyrics! Your best bet is to create a nonsensical phrase such as, "If all the elephants, monkeys and zebras in the world went on strike tomorrow, would you notice?" Even if you decide to break it down, it would be longer than 15 characters. Also note probabilities - "z" is a unlikely character. For the sake of time, many crackers leave out least-used characters (or at least I have and have been quite successful in my testing). They also tend to know that the phrase will begin with a capital letter and most likely end in a number or punctuation symbol.

    Don't forget, mis-spelling a word can help. If you type the phrase, "I have a pet elephant and the zoo keeper is jealous!" as, "eye(I) h(ave) 1(a) p(pet) 3(elephant) &(and) D(the) z(zoo) k(keeper) iz(is) j(jealous) _(!)," you may add entropy or at least stymy the cracker using traditional substitutions. After all, "the" sounds like "Z" or "D", "before" can be "B4", "baby" sounds like "bay-b", and "pound your fist and make a bang" can be represented as "# yer fist N make a !"

    Perhaps the new rules should simply be, be creative and have fun!

  7. peter · 881 days ago

    I think the base generation of a password is great and the presentation is awesom, I have a password that is different at every site. I create done using the method described, but I have a unique way of identifying the site by 3 letters and those are placed in a specific spot in the base password. So if someone does my password they have to.
    A) work out what the base password is
    B) workout my method of uniquely identifying each site
    C) work out where I use it within the password..

    No password manager for me, just a unique way of remembering it.

  8. John Clear · 813 days ago

    I work in ICT education so have to join a heck of a lot of sites to see what they are offering. As a result I have signed up to hundreds of sites and each one has a 400 unique password, none written down, all based on a key phrase and then a pattern on the keyboard.

    It sounds complicated, but is dead easy...

    say my key phrase is based on an address from my past.

    Assume 5 Beattie St


    B(Capital B for a street name)

    7 (Beattie has 7 letters)

    $ (instead of S)

    Now, the individual websites...

    Take Google

    Look at the keyboard...

    what key is to the left of g? f

    what key is to the left of o? i

    what key is to the left of o? i

    what key is to the left of g? f

    so my google password would be fiif5B7$

    Or to make it even harder, f5iBi7f$

    Apple or other websites that start with a Q or Z... just roll around to the other end of the keyboard... a becomes l, z is m and q is p

    I tell you, it is bloody easy to do for any website after you do it a few times. It becomes automatic.

  9. Micro Tech. · 781 days ago

    I manage a small school network for one of the largest school districts in the U.S. 3 years ago I thought to store all my pass words using cloud technology however, clouds began to be compromised by hackers. I terminated both of my clouds and went back to paper and pencil and a 1952 old Brahman steal safe I found in the basement of my school site. YES I realize it’s a little on the old school side but now a day’s there is not one security program that will not be compromised months later. I have had high school students try to hack into our education storage bank many times. I constantly run a 24-7 security I.P. surveillance just to keep our numerous programs safe. I have to get creative about pass words security lucky for me I know three languages. Thanks for sharing on such an important topic. Best of luck to everyone

    Microcomputer Technologist

  10. Dan · 729 days ago

    If you create a unique password for every single website, but then store them all together in one password keeper/manager application, then if the password for that application is compromised the hacker will still have access to all your accounts.

  11. Jacques · 720 days ago

    I only use Graham's approach suggested here (have been for 15 years) for those passwords that I have to remember (like the desktop logins, or firefox master password). This approach for most passwords is unnecessary. I always use a password generator for web site passwords now. In my case, being an old school unix guy, I use the command line util pwgen aliased to pwgen='/usr/bin/pwgen -y -n 12'. So when I run that I get random passwords to choose from like "eeg2Ooke%u4e mouN7Een@eij Ti0Eikiw-oox esh2aiG7pi|u eiNg0ohx?eix". Piece o piss.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley