Toward a More Secure Password

If you consider a password as more helpful to security than as impeding your work, here are a few tips:

Install passwords even where not required. The only exception is with unreliable or low-quality programs that might fail and lock you out without a remedy.

Longer is usually better. A length of about 15 to 20 characters is a good objective; at least 10. (A few places force you to use shorter ones, but that’s not a good model for elsewhere.) If the maximum is long enough, consider using a length a little less than the max, to keep adversaries guessing.

Upper and lower case letters and numbers should all be present. While some systems encourage using symbols (or special characters), I’m dubious, in case you might have to type from a device (like through remote access) that’s missing a symbol you need.

But upper and lower case letters should be mixed up, to protect your privacy against shoulder surfers, people who watch your hands while you type. Some shoulder surfers are very skilled and if they’re uncertain about only one thing that could be in only two states, they only need to try two passwords and one will work. So make their lives harder. Consider these three possible passwords, in increasing order of difficulty for people peeking at your fingers, especially on the shift key or caps lock key:






The first one is easiest to crack because your use or nonuse of the shift key is steady and easier for a spy to remember. The second alternates, and that’s more secure, but it is regular enough that an observer can guess it. The third is a random arrangement; I made this one by tossing a coin for each letter. For 10 letters in a password, random choice just between capitals and lower case can end 1,024 possible ways and that should frustrate most over-the-shoulder spies. If that’s too few for your needs, a password with 20 letters (not counting numbers in your password) can give 1,048,576 possibilities. If you know a spy who can cope with that by watching you type, practice typing faster. Keep one finger just over the shift key so that pressing down is hardly noticed by anyone. This won’t work against a video recording in slow playback or software sneaked into your computer to do keyboard logging or input logging, but it’s a start.

Randomness: Choose every character to have no relationship to any other, so a missing character can’t be guessed. For example, you can probably guess what’s missing from “b_cycle”. The difficulty with randomness is that your brain imposes order and so your brain is lousy at picking characters randomly. A spreadsheet program likely has a randomness function (maybe called Rand) that you can use for the values 1–62, just enough for capital and lower-case letters and ten numerals. If you keep the spreadsheet permanently, put the randomness formula into at least a thousand cells, so that no one looking at your spreadsheet can figure out what password you made or will make.

On the other hand, randomness does not forbid being memorable. It’s just that you add memorability after you’ve picked your random sequence of characters, not before. After you have your password that could be patented as gibberish, you should discover some patterns. I’ve seen a President’s initials, an abbreviation for a natural feature of Earth, a number that could be a money amount, a common English word that’s very short, a symbol for a financial expression, and a host of other patterns. They don’t make much sense except that they help me remember a password. These are mnemonics.

I’m not a fan of websites creating passwords for me, because I don’t know whether they really use good methods or only say they do and whether they store data about users’ password choices (don’t rely on privacy policies for your protection, especially against network snooping). If you’re not concerned about that, like because you’re only looking for ideas, then take a look at (no hyphen).

If you can’t pick characters randomly, a less-good alternative is to memorize a line of poetry, a song lyric, a sentence, or some other text you’ll always remember exactly the same way and that other people won’t associate with you or hear you say, then use the first letter of every word to make a brand-new word. Don’t use that word if it might be in a dictionary in any language, because security crackers use dictionary attacks. If the word passes that test, mix up which letters are capitals and which are lower-case and insert a number.

Double one character, consecutively. This discourages shoulder-surfing. If someone watches what you type, they may not notice that you quickly tapped the same key twice. An alternative is to slide your finger over a key as if it’s a password character but without actually pressing it, or to do that a bunch of times in one password. That should confuse most shoulder-surfers. Let them complain. They’ll reveal themselves.

If you write your password down, which is reasonable since we may have many passwords that we rarely use, encrypt your passwords. Someone might find where you wrote them. Use an encryption system you can reliably remember over a long time, because if you forget it you’ll be locked out. The exception requiring literal unencrypted storage is for a password that someone else shares with you, because that person could reverse-engineer (figure out) your encryption system and decrypt that password and therefore your other passwords.

Software that stores passwords is susceptible to attack, so I don’t use that method. Maybe its strength is that it’s easier to memorize a single password when you use that password all the time, but if anyone figures out that one password they’ll have all of your passwords. And how good are you at withstanding a sledgehammer across your kneecap?

No system can be perfect, but more steps toward security are usually better than fewer.