Sunday, February 26, 2012

How to select a good password

"How to chose a good password" is a recurring theme. There is not a single company that hasn't had at some point that kind of question or concern, and most IT/security guys are usually losing their voices trying to spread the good word.

"What is a good password?" is in itself an interesting question. People tend to answer this in term of length, complexity, entropy, presence in a dictionary or not and so forth. Let's explain a few terms.


The easiest of all. This is purely the number of characters constituent of the password. 


This relates to the individual "components" of the password. Usually, there is a distinction between four big sets:

  • Lowercase letters: a through z
  • Uppercase letters: A through Z
  • Digits: 0 through 9
  • Special characters or symbols: anything that's not either a letter nor a number

The definition of "letters" is in itself quite fun: English speakers may consider accentuated characters as special characters, where (for example) French speakers may consider these as normal letters. In addition, non-roman alphabets also exist, which furthermore expands the definition of letters. 

For the sake of simplicity, let's consider as "letters" the non-accentuated letters from the roman alphabet.


A fun word, which relates to the distribution of characters in the password. For instance, "aaaa1111::::" would have a low entropy, as there are only three different characters, where "abcd:;.,1234" would have a higher entropy.

Presence in a dictionary

Pretty much everybody agrees to say that using "password" for the password is either lame or in Hollywood movies. However, according to the analysis from the passwords leaked by LulzSec, "password" is indeed in the top three. But a dictionary is also more than the usual list of words we all know: sequences of characters are also mapped into lists (123456,abcde, qwerty ...), nick and pet names (Sweetycakes, Rufus, Catzie ...), even phone numbers and car plates may be used.

How to chose it?

OK, now that we have this information, we can start answering. For decades, IT and security people tried to teach users into selecting obscure, hermetic and hard to remember passwords, thinking that if someone can't remember, someone else won't be able to find it.

This approach led to situations where users would request a password change every other week, because they would forget it or would write down the password on a sticky note posted on the monitor (I have seen that one).

Let's find another way.

Things we usually remember are words: table, bed, teddy, dog are four words that you would probably remember from this text in an hour. So why not combine them?

Is "1Table2Beds,3Teddy&aDog" a good password? You betcha! Can you remember it? It will most likely take a few minutes to learn it, but once done, you will probably not forget it.

Method to create the password:

  • Think of 3 or 4 words, if possible each 3 characters or longer
  • Imagine a fun way of mixing them together, using numbers and punctuation signs
  • Think of it as a melody or as a story

And ... voila! You have a secure password. By having 3 words of at least 3 characters, your password is already longer than 8 characters. Add to that 2 characters in between and a final punctuation sign, you have 11 characters. 

Happy Surfing!