April 2, 2022•1,143 words
Reading time: 5 min
What makes a good password?
- It should be a chain of characters unknown to and not readily guessable by other humans, and
- It should have sufficient randomness and length such that it's not one of the trillions of guesses per second modern computers can make, and
- It should be easily memorable, ONLY to you.
It's hard to balance the first two with the third condition.
- No common words or phrases should be used. Nothing publicly related to you should be used.
- In the current year, 2022, to sufficiently counter the maximum guessing potential (brute force capability) of computers given the state of technological development, 14 character passwords should be a minimum. This length should be sufficient for quite a few years to come. Each additional character exponentially increases the number of guesses required (on average) to get the correct password. Adding more length increases randomness more than replacing alphabetic characters with numbers or symbols.*
- A chain of only alphabetic characters or only numbers is easier to remember than a mix of alphabetic characters, numbers, and symbols. There are more alphabetic characters than there are single digit numbers, so we should focus on alphabetic characters (which are likely easier to remember regardless).
*Illustration of implication 2 and 3:
is more random (more difficult to guess by a computer) and easier to remember than this:
Given the above conditions, these are reasonable password solutions:
Option 1: First-letter mnemonic
Come up with a random 14-word (or longer) sentence that makes sense only to you and no one else. Take the first letters of each word, and chain it together into a password. This becomes a mnemonic. The result is a 14 character password. Example:
My heart drops when the wall takes beta blockers; what a good use of time.
The result is:
The longer, the better, as long as you can easily remember it. That sentence makes no sense to anyone, but it's readily memorable to me.
Stick an underscore in the middle as a bonus.
The strength of this is that it's highly memorable and easy to type in. This option is more reasonable than the below alternatives when you don't have a nice keyboard to enter it in, e.g., when you're on a small mobile device. Word-based dictionary attacks by computers should not work on this. 14 characters should be a sufficient length to counter completely random brute force guessing by computers.
The weakness of this is that the first letter we use in words do not follow uniform distribution, i.e., we don't start words with each letter equally often. This makes it easier to guess by a sophisticated algorithm. See letter frequency (Wikipedia). The resulting mnemonic is also not completely random. You can overcome this weakness by making the sentence even longer.
Option 2: Long nonsensical sentence
Just use the sentence you came up with in option 1:
The strength of this is that it's highly memorable and very long. The longer, the better. With a completely random brute force method, it's unlikely this will be guessed any time soon.
The weakness of this is that it's impossible to type in on a mobile device. It's too long to make no mistakes on a tiny keyboard. It's also a sentence with mostly proper grammar; it's possible someone else or a very sophisticated algorithm can come up with a similar sentence. Make it even more random and nonsensical to anyone but yourself to overcome this. Stick symbols in the middle to break up words to throw off dictionary attacks:
Option 3: Diceware words
Use Diceware words. Check this out (resource by Electronic Frontier Foundation) for a guide.
Diceware passwords are passphrases, a chain of words used as a password. The words are uncommon and the phrases random. 6 words are reasonable for most purposes now. 8 words should be reasonable for quite a few years to come. The longer, the better.
This is still reasonably memorable as long as you envision the words in your head.
An example is:
Add dashes in the middle if necessary. Stick an underscore in the middle of a word (without creating more real words) to further throw off computer guesses based off a word list:
This option is more useable when you have a nice keyboard to enter it.
Option 4: Completely random password from a password manager
Use a password manager (consider Bitwarden, it's open source) to generate and securely store for you a password with a mix of alphabetic characters, numbers, and symbols, at a length that most people cannot reasonably memorize or type in:
Copy the password from your password manager whenever you need it.
This is as secure as you can reasonably get with a password.
And then use options 1-3 as your password to the password manager. Use an even longer password/passphrase (16 characters or above, or 8 words or above) for this purpose.
Keep in mind that if the password to your password manager is correctly guessed and can be associated with your other accounts and usernames, your passwords and accounts become compromised.
Option 5: Completely random mnemonic from a password manager
Since we're at password managers, a stronger alternative to option 1 (albeit harder to execute):
Use a password manager to generate a completely random password. Then fit the letters/numbers/symbols of each into a sentence to form a mnemonic that is easily memorable to you.
Take elephant 4 at west 28 at street Faber 8...
You get the idea. This is completely unmemorable to me; come up with something that is memorable to you.
This can be the password to your password manager. The longer, the better, as long as it's easily memorable to you.
Other good practices:
- (Depending on who you are protecting your stuff against,) remember that you are not defending against one person typing in passwords manually. You are potentially defending against any number of computers anywhere in the world.
- Don't reuse passwords. Use a password manager to help solve the memory problem.
- Use multi-factor authentication, regardless of how strong your password is.
- Multi-factor authentication is not a reason to weaken your password. If your door is locked with both a key and a digital combination lock, you don't leave the key in the door, or leave a hint to the combination right on the door.
- Password strength can be measured as “bits of entropy”, a measure of how much randomness a password has.
- Not sure to what degree quantum computing in the future affects passwords. One source reasons that 15+ Diceware passwords to be secure post-quantum, with certain assumptions. Uncertain how valid those assumptions are in practice.