How to choose a secure Internet password

I ran across this in my travels and can’t not show it to you. Bruce Schneier, one of our cyber-security gurus, tackles the question of Internet passwords, hacking them, and choosing safe ones.

Password hacking is a science.

Here’s what that looks like:

The best way to explain how to choose a good password is to explain how they’re broken. The general attack model is what’s known as an offline password-guessing attack. In this scenario, the attacker gets a file of encrypted passwords from somewhere people want to authenticate to. His goal is to turn that encrypted file into unencrypted passwords he can use to authenticate himself. He does this by guessing passwords, and then seeing if they’re correct. He can try guesses as fast as his computer will process them — and he can parallelize the attack — and gets immediate confirmation if he guesses correctly. Yes, there are ways to foil this attack, and that’s why we can still have four-digit PINs on ATM cards, but it’s the correct model for breaking passwords.

There are commercial programs that do password cracking, sold primarily to police departments. There are also hacker tools that do the same thing. And they’re really good.

Part of the problem with choosing a password is that most passwords follow predictable patterns, which makes almost all passwords hackable or guessable:

A typical password consists of a root plus an appendage. The root isn’t necessarily a dictionary word, but it’s usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords, things like “letmein,” “temp,” “123456,” and so on. Then it tested them each with about 100 common suffix appendages: “1,” “4u,” “69,” “abc,” “!,” and so on. It recovered about a quarter of all passwords with just these 100,000 combinations.

He has more to say on just this idea, but pause a moment. Are your passwords a root plus an appendage, either a prefix or suffix? If so, you’ll probably be interested in what he has to say about how that kind of password is hacked.

His best recommendation for a strong password?

Pretty much anything that can be remembered can be cracked.

There’s still one scheme that works. Back in 2008, I described the “Schneier scheme”:

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

Here are some examples:

▪ WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
▪ Wow…doestcst = Wow, does that couch smell terrible.
[email protected]~faaa! = Long time ago in a galaxy not far away at all.
▪ uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.

And be sure to check the four rules following this sentence: “There’s more to passwords than simply choosing a good one.” Good info to have, right? It will only take a moment to read it though, and I think you’ll be glad you did.


To follow or send links: @Gaius_Publius

(Facebook note: To get the most from a Facebook recommendation, be sure to Share what you also Like. Thanks.)

Gaius Publius is a professional writer living on the West Coast of the United States.

Share This Post

18 Responses to “How to choose a secure Internet password”

  1. waguy says:

    Recent versions of Mac OSX include a nice password generator. In Preferences:Users & Groups, click on Change Password, then click on the little key symbol next to the New Password box (you don’t need to actually change your User password to use the generator.

  2. larry longmore says:

    cracking is a bit more organized than just a bunch of guessing. A good cracker will have a dictionary of millions of words including foreign words and words with ‘leet’ transpositions (using zero instead of o and 1 instead of i) and will try prepending and appending ! @ $ special char like that. They will then encrypt each of those entries with a random key and see if they match the hash they have acquired. They can do millions of these transactions a minute.

  3. Bob Munck says:

    Be careful using that HB2U one; Warner Music might come after you for their $3,000 fee.

  4. Just_AC says:

    Me, I do something easy to remember – Take the first letters of a song and add something to it. For example “Happy Birthday to you, Happy Birthday to You” and “1964 1/2 Mustang” becomes HB2U,HB2U,1964.5M, use the same password for sites you trust, and change it every month.

    And for those sites that demand email and or password, I have something like an email of ihate [email protected] and a password of idontcare

  5. goulo says:

    Hmm? That’s not true based on everything I have read. That would imply that using a password “password” is just as safe as using a password “*SDKF*EEFjksd8wefw90DSFEJF” – surely you don’t really believe that? Of course a longer random password is more secure than a short simple password.

    These days huge numbers of passwords are cracked because of stolen passwords databases with hashes of passwords. Then the thieves bruteforce search, cracking the short easy passwords quickly and never cracking the extremely long random passwords. They’re not looking for the password of a specific person, they’re just looking for lots of passwords, which are then often useful for identity theft.

  6. HeartlandLiberal says:

    Or worse, the institution goes to a central authentication mechanism, and now one password through one central service authenticates you to every shred of data you have access to. The major university I retired from a few years ago now operates like this. They do force very long pass phrases, which is good. But then they force you to change them every couple years now. Or for role accounts, when there is staff turnover. This can be a total nightmare for IT staff, who then have to track down every place they have embedded control accounts on servers, database engines, etc. And of course it is easy to miss one, and systems blow up. Better to have very long nonsensical, hard to crack passwords that do not change unless exposed.

    When they were making the change over a decade ago I reminded them of their advice only ten years earlier, preached with great vehemence, that to be safe, you should have a different password for every system. From their acid response to me
    in public meetings of IT pros, you would have thought I had farted. Even in my sixties, I had just not learned you don’t tell the emperor he has no clothes, or that what he or she is now preaching is a 180 degree contradiction of what was gospel only a few weeks earlier.

    I do not trust online lockers for passwords. I am old school. I have probably nearly a hundred accounts scattered all over the globe. I keep an old fashioned small spiral looseleaf notebook, with one 2 x 5 inch page per account. Each account has a different password. That notebook stays by my primary workstation at home. Old fashioned, but effective, and also not connected to any computer, much less the Internet. I really should at least put them in an electronic format in a USB key, so I can carry them, but normally I memorize the half dozen I expect to ever need when
    traveling away from home.

    Also, many of you readers have wireless or other routers in your homes. This is one of the most vulnerable points on the Internet surface. Google is filled with pages listing every last model of networking router and gear and the default admin name and password for each model. Why? Because people do not change that password! Change it now, make it at least 18 characters of random gibberish, letters, numbers, and some allowable special characters. Do not embed any recognizable words. Mine is 18 characters long, total nonsense, but I made myself memorize it since it is so critical, and I have to use web browser to access the router to manage it on my home network, which is extensive and hosts several public servers accessible through ports opened up on the router in its firewall.

  7. Fireblazes says:

    Most accounts are hacked at the corporate level, so the advice about having ever more complicated passwords is a bunch of bs. Crooks are looking for the big score, you are just a sideshow.

  8. Bob Munck says:

    I store all of my passwords in a small cloud (2GB) that is maintained by using very high-tech encryption and data storage. My desktop, laptop, and phone are the only processors allowed to access it; it appears to them as a small disk. On that disk the passwords are stored as shortcuts that load their value into the clipboard when I double-click on them, so I can then paste it into the password field.

    There’s also a strong password generator program on the cloud that will generate a random string of whatever length and complexity is legal. For example, here’s a 40-character word with punctuation:


    Here’s the minimum it will do, 8 characters all alphanumeric: 8F4SZ86l. I always use the longest form I can.

    I feel pretty safe with all this, and it’s easy and quick to use.

  9. goulo says:

    Far safer are truly random long passwords which are remembered for you in a strongly encrypted file by a password manager program, e.g. KeePass or various others.

  10. John Smith says:

    Auto license plates can provide nice combinations of letters & numbers, just string together as many as you need and add a few caps.

  11. Zorba says:

    Well, I already use a version of Schneier’s recommendation about using a “sentence.” Except, I use a sentence in Greek with English phonetics (sort of “Greeklish”) with appropriate numerals, keyboard symbols, and abbreviations.
    And now I have just told hackers how to hack into my passwords. :-(

  12. SkippyFlipjack says:

    Great minds! :)

  13. BeccaM says:

    As I remarked below, that’s one of the real problems with the responses so many companies have taken in an attempt to ensure security: They make it so that users are MORE likely to compromise it, if only because frequent password changes or arbitrary lockouts encourage people to be as lazy as possible.

    For example: Frequently required password changes? People will cycle between the same ones, and they’ll be simple passwords. Why? Because most folks can remember either one complicated thing or several simple ones. But not several complicated things.

    Response: Okay, don’t let people reuse passwords. Counter-response: Over time, people will make their passwords even simpler and easier to guess.

    Another strategy: Let’s have passwords for everything. Access to the company website. Access to the source control system. Access to the network. Access to the email system. Access to the VPN system. Again, people will (1) try to use the same password for everything and (2) keep that one password as simple as the systems will allow.

    I’ve become a convert to the notion of multi-layered security, including things like the 2-factor authentication codes and services like 1Password and LastPass.

  14. BeccaM says:

    You posted exactly what I was going to go track down again, Skippy. :-)

    That’s right there is the fatal flaw in the Schneier password scheme: His alternatives are ridiculously hard to remember. “Did I use ellipses or commas?” “Where did I replace a vowel with a symbol, and if so, which one?”

    Human memory is, for the vast majority of us, fallible. The longer, more complicated, and less intuitive a password becomes, the more likely a user is to forget it. Or to transpose something. Next thing you know, your IT Support team is fielding calls all day long from people who’ve forgotten or mentally munged their 20-character gibberish password.

    Doubly complicating matters is the fact many sites — especially those associated with big companies — automatically force you to choose a new password every few months. So just when you’ve managed to cram some nonsense combination into your brain, you have to flush it out and replace it with a new one. “Did I use the couch one yet? Or do I have to come up with yet another new one?”

    There are some answers that do work better than trying to make people come up with harder and harder passwords that remain vulnerable to brute-forcing. In other words, don’t make your weak link the humans who use the system, because the more difficult and awkward you make it, the more likely people are to become frustrated — and lazy.

    Some guidelines (from someone, myself, who’s been working with computers and in networking for going on three decades now):

    – IT designers: DO try to use “single password” point of entry authentication. Especially if you’re going to make your users change their passwords every 90 days, at least make them only have to remember one password.
    – Also, consider implementing a 2-factor authentication method. There are dongles that generate a one-time-use code for authenticating logins (used in combination with passwords). And nowadays, there are even more convenient (and secure) apps that have a code sent to someone’s smartphone or networked tablet or other device.

    – Users: Don’t use the same password for every login. As soon as its compromised in one place, it’s compromised everywhere.
    – There are services out there that not only help generate secure, nearly gibberish passwords of almost any length and complexity, but require only one master password. For example, LastPass, 1Password, and KeePass. Just be sure to make that one master password as secure as possible.

  15. SkippyFlipjack says:

    I like this advice, from the linked article: “Don’t bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.”

    Apple/iTunes forces you to select a new password after the third bad attempt, then restricts you from using a password you’ve used before. This is a downward spiral — I’m never sure which password I’ve used with them so use up my three attempts trying to guess. At some point this has you back to simple passwords like “monkey04”, compromising security.

  16. GeorgeMokray says:

    Bruce Schneier is an expert on security and a thoughtful guy. His website has a lot of good information:

    Just finished his book on the idea of security in society, Liars and Outliers: Enabling the Trust that Society Needs to Thrive and will share my notes online at

  17. Silver_Witch says:

    excellent article Gaius – thanks for sharing!

  18. SkippyFlipjack says:

    Here’s a bit from XKCD on why the best passwords from a brute-force-hack standpoint are just four common words stuck together. Easy to remember, hard to crack.

© 2021 AMERICAblog Media, LLC. All rights reserved. · Entries RSS