The key to strong passwords

UPDATE: I don’t recommend you ever test any password against an online password meter. Aside from the fact that they may give you a false sense of security, there is also the possibility of a given service having been hijacked or it being malicious from the off.

What is the best password? It’s obviously one that keeps your login secure and is not going to be cracked.

There are several schools of thought regarding what constitutes a good, strong password. Sites that test the strength of your password will opt for one or the other and so may give you a false sense of (in)security depending.

The first approach is to create a long “random” string of letters (upper and lower case), numbers and characters. KeePass and other password storage systems generate such strings with given parameters. Here’s one KeePass created for me just now – Jc\z’ofg5^fhr95lx.`eUTHDaO (Obviously, I’m not using that password for any logins). Such sites are a pain in the *ss. Password Meter tells me that this password is “100% Very Strong” based on the mix of characters.

Microsoft’s password tester also says this password is “Best”. How secure is my password? says it would take a desktop PC
About 438 decillion years to hack this password, and so should be “pretty safe”.

But, that long string of seemingly random characters is going to be very hard to remember, and you don’t want to write it down anywhere in case the password gets stolen. You need to use a strong password for any password safe program, such as LastPass, that you might be using, but you still cannot write it down…it’s a conundrum.

Not all sites allow passwords like this. They often exclude numbers, or characters, they might even restrict you to 8 or fewer characters.

There is a second approach, that is gaining credence among security experts. That is to create a password simply using four random words that you can learn easily. For example, you might pick sliver, finger, purple and breakfast. Your password then be sliverfingerpurplebreakfast. This password doesn’t meet most of the criteria of standard password tests. How Secure Is My Password, warns me that the password looks like a word or a name, obviously it’s not, that it contains no characters or numbers, but does claim that it would still take a desktop PC about 20 sextillion years to hack your password. Not quite as long as the random string, but still a pretty long time. The time to crack can be extended substantially by adding an upper case letter or two. Say, make the first and last letters upper case: 2 nonillion years!

Microsoft reckons SliverfingerpurplebreakfasT is still “best”, although sliverfingerpurplebreakfast is only “strong”. Likewise PasswordMeter baulks at some aspects but tells me that both passwords are 100% Very Strong.

So, my advice? Create a string of four random words, pick a couple of letters to capitalize in the string and learn it so that you will never forget it. Now, use that string as the login for your password safe and use its random string generator to create passwords for all your logins akin to Jc\z’ofg5^fhr95lx.`eUTHDaO. Several of those offline (and even online) password stores insist that you create a passphrase rather than a password. That’s fine, but if you pick a phrase like “Build me a willow cabin at thine gate” or “Green grow the rushes”, then that might be open to quote dictionary attack. I think a phrases comprising several words picked at random would be stronger.

Then, of course, there are biometrics, which are discussed at length by B.L. Tait and S.H. Von Solms of the University of Johannesburg, South Africa, who have devised a BioVault approach to security or Roman Yampolskiy of the University of Louisville, Kentucky, USA, who has developed action-based user authentication.

Research Blogging IconTait, B., & Solms, S. (2009). BioVault: biometrically based encryption International Journal of Electronic Security and Digital Forensics, 2 (3) DOI: 10.1504/IJESDF.2009.027522

Author: David Bradley

Freelance science journalist, author of Deceived Wisdom. Photographer and musician.