Creating Good Passwords
Copyright 1999 -- Light Source Software Labs, Inc. -- All Rights Reserved
Author: Kevin W. Wall
The author grants permission to everyone permission to use this document in part or in whole on any web page or other publication so as long as all of the copyright information (above) and this notice is included in its entirety.

General Password Rules

  1. Treat passwords like you would your safe deposit box key. Don't give them to others and don't leave them lying around haphazardly. xxx

  2. Minimum password length: Use at least 8 characters. Anything shorter might easily brute forced.

    (NOTE: On most versions of Microsoft Windows, unless you are certain that the 16-byte "Lan Manager hash" is not being sent as part of an "Windows password challenge / response" exchange when you enter your password, you'd best keep as close to the maximum of 14 characters as you can. For details on how easy it is to crack short passwords in many Windows environments, see the L0pht Heavy Industries site.)

  3. Character set: Don't exclusively use alphanumeric characters. Use at least one alphabetic character, one numeric character, and one non-alphanumeric character. When possible, use control characters or non-ASCII Unicode characters that do not appear in standard dictionaries, including foreign language dictionaries.

  4. Don't ever write your passwords down in an insecure place such as a sticky note on your monitor or under your keyboard. Spend time to learn them. If you must write them down until you learn them, carry your list in a (relatively) safe place, such as in your wallet.

    (NOTE: It's okay to guard your passwords to other systems in an encrypted file. For Windows-based operating systemss, use something like "Password Safe" which is freely available from Counterpane Systems. Of course, make certain that you secure those passwords with a good pass phrase.)

  5. Don't use any of the passwords (either the good or bad examples) presented herein. Some cracker will inevitably add these to a cracker dictionary somewhere just knowing that some of you will fail to heed this advice.

  6. Try to avoid the temptation to reuse your old passwords unless you really don't care about security. For example, if you use a Windows NT password later on an external web site (especially one that does not use form-based authentication over SSL) and then sometime later revert to that old password at your office, you may find that your password is soon compromised. There are many crackers who use network sniffing tools to pick out cleartext passwords. Likewise, avoid the desire to simply vary a previous password by a digit or or single letter.
About Good Passwords
  1. Good passwords are easy to remember.

  2. Good passwords adhere to the "General Password Rules" (above).

  3. Good passwords are not suspectible to dictionary attacks, hybrid dictionary attacks, personalized information attacks. In other words, don't use personal information that others know about you, such as your birthday, your dog's name, your license plate number, your favorite book or hobby and so on. And your using your social security number is an especially bad idea.
Techniques for Choosing Good Passwords
  1. Pick two relatively short unrelated words, an arbitrary non-alphanumeric character, and at least one digit. The two words combined should have at least a total of 7 characters (or 8 characters if you use the letter-to-digit transformation, described below). Take the two words, which we'll refer to as <word1> and <word2>, and join them together usisng a a non-alphanumeric character (for example, a punctuation character, a control or ALT character, and so on) We'll refer to this non-alphanumeric character as <s> (for "special" character). Thus far, we have:

    <word1><s><word2>

    Next take the digits ("#" below) and insert them in an arbitrary position in the password:

    <w#ord1><s><wor#d2>

    (All right, if you must, you can place these random digits at the front and/or back.) Alternately, rather than adding digits, you can map one or more letters to digits. If you do this in the following way, you may find it easier to remember.

    Letter-to-digit Transformation (*)
      (...or "73tt3r-t0-d191t Tr4n5f0rm4t10n")

    These Letters Map to these digits Hints
    ---------------- ---------------------- -----------------------------------------------------------------
    o or O
    i or I
    l
    z or Z
    e or E
    a or A
    s or S
    b
    L
    B
    g or G
    ==> 0
    ==> 1
    ==> 1
    ==> 2
    ==> 3
    ==> 4
    ==> 5
    ==> 6
    ==> 7
    ==> 8
    ==> 9
    Letter o looks like a zero
    Letter i resembles 1
    Letter l also looks like a 1
    Letter z resembles a 2
    Think of a backwards E as a 3
    Letter A resembles skewed 4 (rotated clockwise; left leg severed)
    Letter s looks like a 5
    Letter b resembles a 6
    Think of the letter L viewed upside-down
    Think of B resembling a (poorly drawn) digit 8
    Think of g resembling a 9

    Note that this isn't as good as using arbitrarily-placed random digits because some hybrid dictionary attacks take these into account, but it is much better than only placing a digit or two at the beginning or end.

    In general, the way to remember these transformation is that the letters are supposed to resemble (even if it is in some contorted way) the digits wto which they map. Consider them a memory aid for the password-impaired, a group in which I consider myself a member ;-).

    Finally, change the case (upper-to-lower or lower-to-upper) of at least one of the letters (but NOT the first one!!!) so that all the letters are not the same case.

    Some GOOD Examples (**)

    <word1> <s> <word2> Comment
    ---------- ---- ---------- ------------
    nail # hicup n4ils#h1cUp
    egg > road e99>r0ad 
    walk % gentle w41k%gentle

    Some BAD Examples

    <word1> <s> <word2> Result The Problem
    --------- ---- --------- ------ --------------
    cat - dog cat-dog1
    cat-d0g
    3cat-dog    		 "cat" & "dog" are not unrelated enough.
    soccer & chris s0cc3r&chr15 Although the words "soccer" and "chris" are not related, this violates the rule of not using words that are personal in nature. (Chris is my son's name and he happens to like soccer.)
    green | red gr33n|r3d
    green0|red1    		 The colors "green" and "red" are too closely related. (Not only are they both colors, but they often are associated together; e.g., Christmas colors.)

  2. Pick a phrase and base your password on it.

        Variation 1: Transform a short phrase into pseudo-English (or whatever
       your native tongue happens to be) and translate that into the password.

    Some GOOD Examples

    Password Comment
    ----------- -------------------------
    Wh0RU?!m3 Phrase was "Who are you? Not me". The o has been transformed  to 0, 'are' becomes 'R', 'you' becomes 'U'. We use the standard punctuation mark '?' to end the first part. The '!' is computer  geek jargon for 'not'. Finally, in the 'me' we transformed the letter 'e' to a '3' (according to our standard letter-to-digit transformations).
    w0n6y1!? The original phrase was "one by one". It was then transformed to "won by 1" and the letter-to-digit transformation was then used on the "o" and "b". The last step was to add two punctuation characters. (Two characters were added to make it eight characters long, in order to increase its resistance to brute force attacks.)
    EZas3.14! This phrase is "easy as pi(e)!"
    MK$4family This phrase is "make (MK) money ($) for family".

    Some BAD Examples

    Password Comment
    ----------- ----------------------------------------
    make$$$$ Must be a $ales guy! This password is a little on the weak side.
    hello:-) Seems a little obvious given the popularity of emoticons.
    2B||!2b? Original phrase was "to be or not to be". The '?' was added, but seems suitable (given the rest of the phrase)... plus it adds to the somewhat to security. However, this is listed as a "bad" example rather than a good one because there are just too many geeks out there that think this is just too clever to pass up. (You know who you are!) In the past twenty years, I recall seeing this or some variation thereof at least three separate times.

        Variation 2: (better than Variation 1) - Choose the first character of a short
        sentence, mix in some upper-case and puntuation and transform some letters to digits.

    Some GOOD Examples

    Password Comment
    ----------- -------------------------------
    Tifwyahf. Phrase is "Time is fun when you are having flies." Of course, this would be a poor selection for me, as this is one of my favorite quips, and thus could be considered in the category of personal information.
    B?Wdnnsb! Phrase is "Badges? We don't need no stinking badges!" Safe, unless it's a well-known fact that Treasure of the Sierra Madre was your favorite film, in which case this should be considered personal information, and thus you shouldn't use it.
    Tthc,tws,Tt0mt As long as someone doesn't know you're a fan of Lewis Carroll, this should be fairly secure. BTW, the phrase is "The time has come the walrus said, to talk of many things" (with the 'o' in 'of' transformed to zero just for good measure). [Lewis Carroll, Through the Looking-Glass]
    1tgpRi! The phrase is "I think good passwords are important!". Note besides the standard letter-to-digit transformation of 'I' to '1', this also employs Variation 1 (above) by using an 'R' for 'are' rather the using 'a'.
    Some BAD Examples

    Password Comment
    ----------- ------------------------------
    AFAIK Aside from being too short, "as far as I know" is too often just written as "AFAIK" so it's likely to be in a cracker dictionary somewhere. The same goes for other popular Internet acronyms, such as OTOH, ROFL, BTW, and so on.
    bbroygbvgw The color coding on resistors: black, brown, red, orange, yellow, green, blue, violet, gray, white. The phrase might be considered sexual harassment were I to repeat it. If you really want to know what it stands for, talk to an EE Geek. ;-)
    RoyG.Biv The colors of the spectrum: Red, Orange, Yellow, Green, Blue, Indigo, Violet. Possibly in a cracker dictionary, especially one that targets techno-geeks.
    4s&7ya The phrase "four score and seven years ago"... possibly not as bad as others listed here (except that it is too short), but this phrase is just too common to be really secure. Others to avoid are common ones such as "The quick brown fox jumped over the lazy dogs", "Now is the time for all good men to come to the aid of their party" and other popular well-known quotations. On the other hand, my guess is that for most of you, "nittfagm2c2taotp" ("Now is the time...") is more secure than any password you've used before. However you, probably aren't going to want to type all that, especially when blinded -- remember these characters generally won't echo when using them for a password!

  3. Pick out a uncommon, non-obvious pattern on the keyboard. (Be sure to include some numbers and special characters, not just letters.) Here, you remember the pattern not the actual characters that you type. (Note: If you are not a touch typist, don't try this at home! ;-)

    Some GOOD Examples

    Password Pattern / Comment
    ----------- -----------------------------
    .mu9l,ji Start at '.' and circle clockwise skipping one character until you reach the starting character, and make second clockwise circle starting at the character to the left of the original starting character. Continue until you have eight or more characters.
    zvm/159\ Start on the bottom row, on the left-most side (z). Then skip two characters (that is, type every third character) until you reach the end of the row. Then go to top row, on the left side (1) and skip three characters (that is, type every fourth character) until you reach the end of the top row.
    Some BAD Examples

    Password Comment
    ----------- ----------------------------------------------
    asdfghjk Should be obvious what's wrong here!
    abcdefgh Again, obvious!
    aaaaaaaa Obvious!
    qwerty Obvious!
    aabbccdd Obvious!
    a1b2c3d4 Obvious!
    abcd1234 Obvious!

    Many of these are likely to be in a good cracker dictionary, or be crackable via hybrid dictionary attacks, for example, by repeating certain key patterns.

  4. Spell out a relatively obscure, but non-personal, word with your hands deliberately misplaced off the "home" keys (f & j) on the keyboard. If necessary, transform some of the letters to digits and/or special characters or add them at appropriate places. You will find that this technique takes some getting used to.

    Some GOOD Examples

    Original Word Resulting Password Comment
    ---------------- -------------------- -------------------------
    1Bakery 2Nslru Hands are moved to type the character to the right of each original character.
    whitehouse {snkgdnlxd} Has prepended and appended { and } respectively, but otherwise password is typed with hands moved from the home row to the bottom row.
    Some BAD Examples

    Original Word Resulting Password Comment
    ---------------- -------------------- -------------------------
    wafer! esgrt@ This password is too short. Also, for me, "WAFER" would be considered personal information: it's the name of the product I work on.

  5. Mix two or more of these techniques together. Using one of the first two techniques with one of the last two techniques works particullary well.
* Other transformations are also useful, such as replacing some letter by the Alt- or Ctrl- equivalent of that letter. For example, replace 'a' or 'A' with 'Alt-A' or 'Ctrl-A', etc. Use of this may be limited (especially using the Alt- variation) since many authentication programs only accept passwords that are printable characters. However, if the program that you are using accepts these alternatives, you are encouraged to use them.

** Well, good at compared to the bad ones, and compared to what many of you are probably used to using.