Home > Blogs > Best Password Tip Ever

Best Password Tip Ever

There is no end to the number of good (and sometimes even free) software tools users can employ to generate strong passwords for their various accounts and logins. But randomly generated passwords are often devilishly hard to remember, probably because they're built to resist dictionary and other brute force cracking attacks. But there is a simple trick that resists cracking and aids recall!

I got this notion from a recent networking blog from long-time network wiz Steven J. Vaughn-Nichols entitled "Cartoon makes better password point than many security experts." If you take a look at this cartoon, which is an instance of Randal Munroe's terrific xkcd Webcomic, you'll immediately get the point he's trying to make.

Here it is the point in its simplest terms: string a bunch of random words together to create a long string you can remember but that will be expensive to crack with brute force. The cartoon compares an auto-generated 11 character string (Tr0ub4dor&3) to four random words: correct horse battery staple (44 characters) to estimate brute force cracking time. It takes an average of 3 days for a computer that makes 1,000 guesses per second to crack the tough 11-char string (which meets or beats most password strength calculators I submit it to). How long does it take to crack the four word concatenation at the same rates? 550 years. Need I say more?

I've taught lots of security courses where I've encouraged people to use a passphrase model to build strong passwords, but I never really thought the process through enough to have the Homer Simpson moment ("Doh!") that Munroe's cartoon engendered in me. Yes, it's easier to grab four words from a dictionary and shoot for 40 characters or more to create a strong password than to rigorously construct a hard-to-remember string of 8 to 16 characters that includes "a mix of upper and lower case alphabetic characters, numerals, and punctuation" as the conventional wisdom on password construction so often goes.

Sometimes the best things in life are not only free, but delightfully simple and easy to use. This is one of them. Use it! And if you are inclined to ignore this beautiful and brilliant piece of advice, consider carefully the caption to Munroe's cartoon: "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." Ouch!