How do you create a good password?

Now that we've identified the who and the how, we can start to think about what makes a good password. Clearly the best password is the one that provides the most defence against password attacks. For brute force attacks, the key factor is the size of the key space, that is, the amount of passwords that are possible. The more characters that make up a password, the better, and the more characters that a password can be made up of, the better.

For a dictionary attack, the important thing is that the password is as random as possible, so that it is unlikely to turn up in any generated dictionary of likely passwords -- avoid passwords that contain dictionary words, names, places and even dates. For the last type of attack it's important to make it memorable enough so that you're not tempted to write it down anywhere. This is the big problem with passwords, keeping it memorable enough so that you can keep it in your brain, but complex and random enough to not be easily generated by an attacker.

One popular method is generating an acronym, pick some phrase you'll remember and take the first letter of each word, throw in some punctuation and you've got something that's easy for you to remember, but looks completely random to someone who doesn't know how the password was created. For example, say you're a Bob Dylan fan, you're terrible at remembering passwords, but you know all the words to Highway 61 Revisited -- you take the first letter of each word in the first line ("God said to Abraham: "Kill me a son") add the name of the song and end up with a password that looks like GstAKmash61r.

That's a 12 character password with lower and upper case letters, as well as digits that looks pretty indistinguishable from any other string of characters to anyone who doesn't know where it came from. This makes the method you used your effective password, since it's all you need to regenerate the password. Even if you don't happen to know all the lyrics to your song, you can stick them to your cubicle wall and no one will think anything of it.

Tips:

The Good

• The more possible things your password can be, the harder it is to brute force -- so be creative: use a mix of letters, numbers and punctuation.
• Change your password from time to time. While this doesn't make any single password more secure, it can decrease the damage done should someone get a hold of it and means that old password information gives an attacker nothing.
• Use memory tricks such as acronyms or mnemonics to help you remember a complicated password.
• Use different passwords for different accounts. You wouldn't use your PIN number as your video store password, would you? So avoid having the same password for Web mail and Internet banking.
• Break your password up into sections and have a different rule for each, this will help make a more random looking password.

The Bad

• Don't assume that because you've done nothing to draw the eye of a password cracker you're safe; most password cracking attempts are made by people who neither know or care anything about you.
• Don't use words that exist in any dictionary in any language anywhere in the world.
• Don't use names, even if they're uncommon.
• Common misspellings, or replacing letters with numbers that look similar, eg. 1 for L or 0 for O gives you a negligible increase in password strength.
• Don't leave your password as the default, lists of default passwords for a whole range of systems are commonly available on the Internet.
• Don't use sequences of characters that appear in a run on the keyboard, such as qwerty or asdf.

The Ugly

The top 10 passwords found in a UK study, as published on the blog Modern Life Is Rubbish are as follows. If you see your password here, or something similar, you might want to think about a change:

1. 123
2. password
3. liverpool
4. letmein
5. 123456
6. qwerty
7. charlie
8. monkey
9. arsenal
10. thomas