13 Apr, 2015 No Comments Bobby Internet Security

Important Note: This article is for website and computer passwords. If you’re looking for how to create a wireless password, check out this guide instead.

Want to create passwords like a superhero? I promise, it’s not as hard as your IT guy probably makes it sound.

I don’t like password rules because they’re a pain in the tokus. Instead, I’ve developed a quick trick that I use with my clients that creates easy to remember yet strong passwords. I can sum it up in one sentence:

Create a random phrase then add numbers and symbols

Come up with a simple, random phrase that you can remember. It helps if you choose rhyming words or alliterations. The phrase should have no meaning to you. Try not to be predictable. Here are some examples:

Random phrase of 2 or 3 words: StickyPicket
Add numbers and symbols: St1cky*Picket

Random phrase: LowLumpyLarry
Numbers and symbols: L0wLumpyL@rry

Or why even use real words? Make some up!

Random made-up words: NukinBloop
Numbers and symbols: Nukin%%Bl00p

Random made-up words: CheezePunkins
Numbers and symbols: 5CheezePunkin$

Random made-up words: LiftieWist
Numbers and symbols: L1ftie()wist

Easy to remember, no? The hardest part is remembering where you put the numbers and symbols. That’s why I used common replacements, like “$” for “s”, “1” for “i”, and zero for “o”.

So what makes these passwords strong? If you’re the type that wants to know more about why this method works then read on for a deeper explanation.

Who Are the Villains?

There are basically two things you need to protect against when creating passwords: people and computers.

People make intuitive, educated guesses based on what they know about you.

Computers, however, lack that finesse and take the brute force approach. They simply chew through a list of every possible combination of characters until they find one that fits.

But they don’t work alone. They’re actually ganging up on you. Bad guys can modify a computer’s brute force cracking process to be more relevant toward their target (you) based on what they know about you, thereby greatly reducing the time the computer might take. So how do we fight against this villainous duo?

The Qualities of Good Passwords


This is the people-guessing part.

One of the worst habits we have is giving our passwords some special meaning to us. It’s not clever, it’s predictable. No one should be able to make any educated guesses based on what they can find out about you. Here’s a list of common themes I see in our clients:

  • kids’ names
  • number of kids
  • anything else to do with kids
  • pet’s names
  • spouse’s name
  • business name
  • sports team names
  • something to do with a hobby or interest
  • their company position or department
  • car models
  • religious phrases
  • someone’s birth year
  • phone numbers
  • tons of other commonly known facts

I can almost guarantee there’s something in that list you’re using. Well stop it! It’s strange, but it feels kind of funny to get away from doing this. That’s the tendency I was talking about – the feeling that it has to be relevant to us. Well it doesn’t, and it shouldn’t.

Length and Complexity

This is the computer-guessing part.

The idea here is to create our passwords in such a way that it’s statistically impossible for a computer to find the right one in a reasonable amount of time. We do that with two metrics: length and complexity.

Length. You can see that I made the passwords above at least 12 characters in length. I believe that should be the minimum, based on the math of brute force cracking with automated software. Feel free to make it even longer if you can stand it. Every character you add exponentially increases the amount of time required to crack because it creates that many more possible combinations of characters.

For a great in-depth explanation of how length affects password strength, check out Steve Gibson’s password haystacks page.

Complexity. Once we’ve decided on the length of the password, we can further increase the number of possible passwords by adding to the pool of possible characters. If you’re using just lower case letters and numbers, there are fewer possible passwords than if you add uppercase letters, too. In the examples above you can see that I use all four character types:

  • upper case
  • lower case
  • numbers
  • symbols

This is probably the most annoying part, but it’s necessary. Here’s a chart to help explain. The number of combinations is based on a 12-character password. And the numbers would obviously change for different languages; this is for English specifically.

Character types in pool # of total characters # of possible combinations
lowercase 26 9,657,700
+ uppercase 52 206,379,406,870
+ numbers 62 2,160,153,123,141
+ symbols 94 477,542,747,740,513

That number of possible combinations might seem like overkill. But brute force cracking software can blast through these possibilities by the millions per second or more, depending on the power of the computer. Supercomputers, like those available to government agencies, can do billions per second.

For instance if you used a 12-character password including lowercase + uppercase + numbers (without symbols), a supercomputer (assuming 1 billion guesses per second) could try all possible combinations in 36 minutes. But add symbols to the mix and it jumps to about 5.4 days. That’s still not very long! See why it’s so important to create as many possibilities as you can?

Of course, this is only if someone like a government agency (ahem*NSA*ahem) decided you were worth pursuing for some reason. Most criminals won’t have access to that type of processing power. But still, millions of guesses per second is nothing to sneeze at.

But let’s take it a step further. If you add just two more characters (for 14 total), the above scenario with the supercomputer would go from 5.4 days to 201.7 days. That’s significantly better, especially if you’re in the habit of changing your password every once in a while.

The plot thickens: Just because that’s the amount of time it would take to try every combination doesn’t mean that’s how long it would take to find your password. On average, they would only have to try half the possibilities before they find it. It could be more, but it could be less. Maybe they find it after 987 billion tries. That’s only 16 minutes for a supercomputer (or only 11.4 days at a more reasonable 1 million guesses per second).

This explanation may sound complicated, so if you feel overwhelmed then just return to the beginning of this article and follow the instructions. If you use this method then you don’t have to worry about the complicated explanation because it just works.

Other Methods

There are, of course, other ways to create good passwords. I’ve only found this one to be the most effective at getting them to stick in memory. Here are some others you might start with. Just don’t forget to mix them up with all four character types when you’re done!

  • Choose an obscure phrase and misspell words intentionally
  • Choose an uncommon song lyric then use the first letter of each word
  • Create a made-up word and type it multiple times, modifying it each time

Related Articles