How to Make a Complex Password

During an offline discussion with some of the others on the forum yesterday, one of our number was discussing a hosting issue they were facing. Aside from fixing the problems caused, on suggestion was that all passwords would need an update. Knowing how we enforce ‘complex passwords’ where I work, I posted and adaptation of the way we do it where I am. I am well aware that there are many views on the subject, and that this isn’t necessarily perfect, but it’s better than many of the practices out there, and it puts you streets ahead of those stick with a default ‘admin | admin’.

##What makes up a complex password?

Ideally, your password should meet the following requirements:

The password must be a minimum of eight characters, consisting of:

  • Minimum of one upper case character
  • Minimum of one number character
  • Minimum of one special character

So a complex password should look something like this:

WTFy2%vf

How are you expecting me to remember this, I hear you ask? Well there is a way and it’s called ‘pass phrases’.

##Pass Phrases

You create a complex password from a passphrase that only you know.

It goes like this:

Think of a sentence that is particular to you, one that uses numbers too.

For example, here is one that means something to me –

I married my wife in Sweden February 2008

I take the first letters from each word, and then I put the numbers at the end, so the sentence; “I married my wife in Sweden February 2008” becomes:

ImmwiSF2008

Then to meet the minimum standard I need to add a special character (!ӣ$%^&*()_+#~@?><). I will choose to use $

So my completed complex password is ImmwiSF2008$ and I have met all the requirements for a complex password, and I can remember it.

Remember ‘Pass Phrases’ are easier for you to memorise and mean something to you. Choose special events in your life to make up your ‘Pass Phrase’ and your complex password.


Do you have any preferred techniques or arguments either for or against the above?

PS. The bit about marrying my wife in Sweden in 2008 is not wholly accurate…

2 Likes

Oh dam; I was about to try it on your account!

But an interesting method to remember passwords.

I do follow the minimum requirements - I have to - but I don’t memorise it quite like that :wink:

Why not just use that as the password - a little more typing but way more secure and easier to remember than

and once properly hashed they both take up the same space in the database.

No reason at all that I know of. Perhaps as we work with people who don’t use Latin characters in their first language, someone thought this would be easier.

There was an XKCD comic on this topic a few years back, which is still relevant.

On the flip side, I find it a little silly that many financial institutions enforce a maximum password length. Some actually restrict a password to 8 characters, 12, or even offer a generous 16 characters. In fact, this practice is insecure on two fronts–an attacker knows the maximum limit and doesn’t have to waste CPU cycles going beyond a certain point, and shorter passwords are simply easier to guess.

2 Likes

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.