C3 has merged with Ingalls Read Press Release >>

What Makes a Good Password?

Steel Root co-founder breaks down the key components of a good password and provides tips on how to create strong passwords and practice good password hygiene.

Ah, the mandatory password change. That once-per-quarter occasion to change your top-secret passphrase from Fluffyc@t10 to Fluffyc@t11.

Supposedly, this helps keep you and your company safe from hackers and intruders. But does it really?

Yes. It does. Changing your passwords frequently is always a good idea—especially in a time when passwords get compromised a billion at a time.

Understanding what makes a password “good” is the first step to using passwords effectively—and staying secure along the way.

So let’s start by asking the question, how can I figure out your password?

1. I could…work really hard to guess it (brute force).

We can measure the security of a password by how much work it takes to break using brute force.

(Warning: before your eyes glaze over, we’re going to use just a little bit of math to understand why longer passwords are much, much better than short ones.)

Take a PIN code. These are typically created by choosing a sequence of 4 digits out of a possible 10 options (0-9). How many possible PIN codes can be made?

The math is actually quite simple. We use the formula for permutations with repeating values, which is expressed as n^r, where n = the number of possible objects (in this case, digits), and r = how many are used at one time.

So in the above example, n = 10 (the numbers 0-9), and r = 4 (how many digits we select for our code). Don’t bother reaching for a calculator, the answer is that there are 10,000 different 4-digit PIN codes you can make out of the numbers 0-9. If I (or a computer) were trying to guess your PIN code, and if I were terribly unlucky, I’d have to guess 10,000 times before getting it right.

But here’s where it gets interesting. Say we chose 5 digits instead of 4. That changes the formula from 10^4 to 10^5. And suddenly, there are 100,000 possible PIN codes. If I choose 8 digits instead of 4, we’re at 100 million possible codes. Getting better, but a still a computer can make billions or trillions of guesses per second…

That’s why we’re often forced to use many different types of characters (lowercase, uppercase, numbers, etc.) when creating passwords.

In the PIN code example, the n value was 10, because we were choosing from 10 different digits. When we expand the value of n to include the alphabet and special characters, suddenly guessing a password becomes much more difficult.

There are 95 printable ASCII characters (stuff like A, a, @, 0, etc.). Let’s say we had to make an 8 character password out of all those possibilities. 95^8 = 6,634,204,312,890,625. But before you start feeling pretty confident about Fluffyc@t11…

2. I could…be smart about guessing it.

The English dictionary has less than 500,000 entries (though rising every year, thanks to the invention of selfies and dabbing). So. rather than straight up brute force for guessing passwords, I can leverage common names and words to drastically reduce the time it takes to guess your password.

Rather than running through all possible options, attackers trying to brute force a password will leverage dictionaries of words and names to shorten guess time.

In a classic study, Frederick Grampp and Robert Morris demonstrated that on a system which required passwords to include one number, guessing the 20 most common female names followed by a single digit was successful for at least one account on most of the tested machines.

The top 5 passwords of 2013?

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. abc123

Doesn’t exactly inspire faith in passwords, does it? By using dictionaries and lists of common passwords, an attacker can make short work of guessing most passwords.

So what exactly does make a good password?

I’m glad you asked. A good password…

  1. is long
  2. contains special characters
  3. isn’t a real word or name
  4. is only used in one place (because if you only use one password and it’s compromised… game over for all your other secure accounts)

But as we’ve mentioned before, limitations of the human mind severely limit the effectiveness of a password change. (Which is to say, it doesn’t do you much good if you have to write it down on a sticky note.)

Our minds need some kind of trick or hook for remembering.

So, we submit for your consideration, the Steel Root method of password creation:

First, make up a word or phrase.

Aim for 8 or more characters. Think Dr. Seuss (“sneetches”). And if that’s too hard, take a word or name you like, and change the spelling a bit. You could also take the first letters of a phrase you like (“We are never ever ever getting back together” becomes “Waneegbt”).

Now, give it some variety.

Make sure your word or phrase contains capital and lowercase letters, numbers, and special characters. For example, !Sneetches42*

You now have a password that has satisfied rules 1-3 of our rubric for good passwords (sorry, Fluffy).

But how do you make it unique for every single account or website you use, and still have it be memorable?

One technique is to make each password unique by adding a couple extra characters, depending on the account or website.

For example, add the first two letters of the website’s domain name to your password. So if you’re making a password for ebay.com, your password !Sneetches42* becomes !Sneetches42*EB. And if you’re making a password for gmail.com, your password becomes !Sneetches42*GM.

Get the idea? Now you have something that’s easy to remember AND meets all the criteria for a great password.