CGL Password Tips

about projects people publications resources resources visit us visit us search search

How hard can it be to choose a good password?

(Image from xkcd.com)
It's actually not that hard...
Three or four random words with a numeral or special character inserted between each word makes quite a good password (will defeat every lowercase brute force attack). Even just capitalising the Nth letter of each of your words gives a dramatic improvement in security. So “coRrecthoRsebaTterystAple” for “correct horse battery staple”.

Longer is always better, but the following are also good tips:

Numeral or special character inserted somewhere in the middle of the password. (It's computationally easy to check prepends and postpends, but still difficult to check every possible position.)
Ditto for capitalisation. The rules out there mean that "HorseStaple" is really no more secure than "horsestaple" (because it's the most likely thing someone does to a two-word passphrase, and thus only double the time to check), but “hoRsestAple” adds 5x6+2=33 permutations (if they have a rule to look for a single capitalized character in each word), which isn't great, but is still better than nothing.
Even better, replace every Nth character with something completely different. “h&rses&aple” / “hQrsesQaple” / “h5rses5aple” ... just be careful not to pick a substitution that turns a word into another word or accidentally emulates leetspeak.^§

All that aside, the MOST important thing is, if you reuse passwords, reuse them wisely:

Use unique passwords, as strong as you can stomach, for every account that involves access to your actual monetary resources (bank, paypal, amazon, etc).
Ditto for any email account with password reset access to the above. THIS IS IMPORTANT!
For sites where your online reputation or business would be harmed by a break-in, or where you would be seriously inconvenienced from a loss of access, use a unique password, but you don't need it to be as strong.
For generic forums and the like... try not to reuse if you can, and try to pick “good” passwords, but if the repercussions are low that it really isn't too important. These definitely lend themselves towards the “ease of use” end of the scale, as there's little for you to lose.

§ leetspeak is the use of common substitutions of numbers or symbols for letters (see the cartoon above). For example, “0” (zero) for “o” (oh) or “!” for “i” or “3” for “e”. Definitely avoid these because password cracking programs usually check these permutations.