Choosing passwords or pass phrases
Password length and choosing a good pass phrase
The ability of hackers to crack or obtain your password changes over time. So it should be noted that the following was applicable and current as of February 2021. Passwords and pass phrases will need to become longer and less 'guessable' by human or machine over time.
Let's state, up front, that two-factor authentication (2FA) or multi-factor authentication (MFA) is the best thing that you can do: have a password and another method. That "other method" could be a hardware device (e.g. Yubikey), authenticator application (e.g. Google Authenticator) or something which sends text codes out to your mobile phone.
(OK, SMS - text codes to phones - have their problems as - in a sophisticated attack - someone can effectively re-route your phone/SMS messages, but it remains better than only a password.)
NEVER EVER reuse a password for other sites/services, no matter how great the password is
Please use a password manager so all your passwords can look like gLHs7bWp#X1DJ$S^y7Sz and you never need to remember them!
Number one rule
Never re-use passwords! The best quality, secure password will get discovered eventually if you use it in many places. Then you're in big trouble as the bad guys (or the bad guys' scripts) will try that password against thousands of other places until they find a hit.
Just don't re-use passwords
At the time of writing we know:
- We (society, the IT industry) reached a position some time ago where we have passwords that are difficult for humans to remember, but quite easy for computers to guess
- This is obviously the worst of both worlds
- It's only in movies that someone sits and tries to guess a person's password: in real life it is done, thousands of guesses per second, by a machine
- You could argue that a very good password 8-12 characters long is probably just about OK (right now, today)
- But most people aren't great at choosing good short passwords
- If an 8 character password has common runs of characters, recognisable common words etc. that now makes it very weak
- Also, the shorter a password, then the more likely that someone has used it before and it's already in a 'hacker dictionary'
- The cracking routines try lots of dictionary words and combinations of already known passwords in 'hacker dictionaries'
- These dictionaries may include really good, safe-looking passwords that have been 'stolen' from hacked websites in the past
- Also, as a matter of course, they try all of the obvious 'substitutions' and mixed case e.g. Ch1ck3nD00rst0p, Chick3nD00rst0p, ChickenD00rst0p... chickendoorstop.
- Length is hugely important, but it’s no longer quite that simple, e.g.
- dogcatchickendoorstop would get cracked quicker than dogcatchi_ckendoorstop as the words are very common
- In the future, dogcatchi_ckendoorstop may be better. But today, it would be extremely unlikely for a cracking routine to crack that
- donkeymotorcycleobfuscate would be good as it contains one uncommon word (obfuscate) as cracking algorithms and dictionaries tend to prioritise the top few thousand common words
- Nevertheless, at the time of writing dogcatchickendoorstop would be a very secure password
- The classic Tr0ub4dor&3 would probably pass any quality checker, but it is terrifically difficult to remember and would probably get cracked quicker than any of the above examples. And therefore is bad in both ways.
- donkeymetorcycleobfuscate (note deliberate mis-spelling) would be a great passphrase to use (easy to remember, very hard to crack) but would obviously fail quality tests that many sites still insist upon (doesn't contain numbers, special characters, single case)
SO, SIMPLER MESSAGE:
If you can't use 2FA,
- Pick four words that you can type easily
- Make one of the words fairly unusual, or a little-known place, or in a different language
- Don't waste time with substituting o's for 0's etc unless the site quality rules insist that you must
- Optional: Put some special characters in the middle of one of the words
- NEVER EVER reuse a password for other sites/services, no matter how great the password is
- (Please use a password manager so all your passwords can look like gLHs7bWp#X1DJ$S^y7Sz and you never need to remember them!)
That kind of password should see you good for several years, or until they properly invent quantum computing!
If the stupid interface only allows you to have a short password
- Consider not using it. Seriously.
- If it's that limited, that site/service's overall security may also be very poor
- If you have to use it...
- Take the words of a song or poem you know, for example:
- "Oh say, can you see? By the dawn's early light"
- Make up a password using the first letters and some substitutions. For example, you may end up with:
- 0s,cyc?Btd
- (If it's a very well known song, like this one, it's might be best not to take the first line, or the first line of the chorus.)
Here's a graphical (and mathematical) explanation of much of the above
This is from XKCD comic, back in 2011.