All You Need to Know About Passwords: Longer is Stronger

Because I work in information security, I deal with passwords a lot. There is a really simple guide to making good passwords: longer is stronger. If you remember nothing else, simply remember longer is stronger.Want a quick way to figure out if your password is any good? The best password strength meter I know is zxcvbn from Dropbox.

Unrememberable Crap Works Against You

Lots of web sites make you put digits or symbols or whatever into your password on the assumption that you’ll have a short password, so let’s make that short password as strong as possible. You need lots of passwords, though: for your WiFi network, for your laptop, for your work, etc. As long as you end up with a long password you can type some pretty reasonable things, including dictionary words. Consider the following passwords:

  • 14December2016
  • BeverleyHills90210
  • ArizonaState2010
  • AnotherWTF?

These are really simple words, fairly easy to type, but they’re really long. You don’t need to do stupid substitutions like numbers for letters. You don’t need to do unnecessary capitalisation.

Two Really Important Points

  1. Make them as long as is practicable. It doesn’t matter that it’s all lower-case if it’s 17 characters long. “i saw star wars in 1977” is a fabulous password—especially including the spaces.
  2. Consider the kinds of devices you need to type on. TVs, game consoles, phones, printers, and kindles all have terrible interfaces for typing a password. If your password has a # character in it, that might make it a bit stronger. But it probably takes you 4 or 5 button presses to get there. If those same 4 or 5 button presses put the string “abc” into your password, instead of a single #, you have made a stronger password. For example “PeytonManning#18” is actually a weaker password than “PeytonManning18abc” because 2 extra letters, even though they are lower-case, adds more strength than one symbol.

Most reasonable web sites and computer software allow long passwords. If you can find a phrase or two that produce long passwords, it’s much easier to just type real words without gimmicks or tricks. Got a 3-year-old son who loves Spiderman? “spiderman costume” is a password that simply isn’t going to be cracked. It’s all lower-case letters, no funny spellings, but it is 17 characters. Nobody, but nobody, is brute-forcing 17-character passwords.

Use a Password Manager

There are many good ones. Most will auto-type your password for you. It makes it a lot easier to have gigantic passwords and unique passwords.

It’s Really As Easy As That

That’s it. Longer is Stronger.