Just what is a complex password (and how do I create one)?

In a previous blog, I discussed seven common-sense cyber protections you can do that immediately and inexpensively make you, your business, and your family safer from cyber attack.

So far, I've covered #1 – Keep your software patches up to date and #7 – Do not give your primary user account administrator privileges, and #3 – Back up your computer data regularly.

But the one I get asked about the most is probably: #2 - Make your passwords complex

So, we're told to make our passwords "complex" to be safer online. Why? And How?

Passwords are perhaps the most common form of authentication today and will be for at least a few more years (if not longer). Your password is valuable because it is often the only protection standing between you and a hacker seeking your business or personal information.

How a hacker sees your password

Hackers don't usually make off with a list of unprotected passwords when they break into a computer (unless the passwords were written down in a plain text file by the computer owner). Most often, hackers get hold of what are known as "cryptographic password hashes" or simply "password hashes". They are passwords that have been transformed mathematically into rather long strings of seemingly random characters. This transformation is designed to be "one-way" in that turning a password into a hash is easy – but turning a hash back into a password is impossible (in theory).

For example, one encoding approach converts the password “notAGoodPassword” into the password hash “$1$xyz$Nn9.wB/76BlFx.2QDYD0D/”.

So how does a hacker recover a password from a hash? They take a brute-force approach and guess at the password. They take a guess, run it through the mathematical transformation, and see if the result matches the password hash. If it does, they win. If not, they take another guess.

This brute-force guessing is often referred to as "password cracking" – and while you might think this is a rather inefficient approach, there are a lot of free tools out there that do it incredibly well. To start with, you are probably using a password that is easy to remember. Many people do; so many that there exist huge lists of common passwords that are freely available online. Take a look at this list of 10,000 common passwords. Is your password in there?

So how fast can a password cracking tool run? Although typical tools boast millions of guesses per second, there is at least one out there that can make billions of guesses per second. Then there are statistical analyses that look at how people tend to create passwords. Those studies tell us most passwords begin with a common English word followed by the single numeric digit “1”. Less frequently, people put the special characters and numbers ahead of the word. Just that knowledge alone, along with a list of common words, will allow a hacker to crack most passwords in a few seconds.

If you want to really dig into the details of how predictable people are about choosing passwords, here’s a great article that presents common patterns in 10 million user passwords.

So how can we make passwords difficult to crack?

The official guidance from the U.S. Computer Emergency Readiness Team (US-CERT) says:

  • Use different passwords on different systems and accounts
  • Don't use passwords that are based on personal information that can be easily accessed or guessed
  • Use a combination of capital and lowercase letters, numbers, and special characters
  • Don't use words that can be found in any dictionary of any language
  • Develop mnemonics such as passphrases for remembering complex passwords
  • Consider using a password manager program to keep track of your passwords

The first one is important. Try not to re-use your passwords. That way, if one of your accounts has its password stolen, then hackers can't get into your other accounts easily.

Not surprisingly, you also need to stay away from common words (anything in a dictionary) since hackers have some really big dictionaries to make up guesses from.

The best advice for making a complex password

The most important advice from US-CERT is to use mnemonics. That's where you make up a sentence only you will know and then take the first letter of each word and string them together to your new password.

Good passwords should be 8-16 characters long – preferably more. When you aren't using words from dictionaries, longer passwords take longer to guess.

Here's an example 8-word sentence: "But soft, what light through yon window breaks."

  • Taking the first letter from each word gives the 8-letter password "bswltywb"
  • Want a better password? Add some upper-case characters. Since the password should be memorable to you, and "yon" is a bit of an odd word, then you can capitalize the first word and "yon." That should be easier to remember: "BswltYwb"
  • How about a special character? Since we tend to put them at the start or the end of a password, put them in the middle. Again, since "yon" is an uncommon word, put the special character after it: "BswltY!wb".
  • Oh, and please do not use this example as a password since it’s just been written down for everyone to see; keep your own passwords private…and never share them.

You can even let programs generate your passwords using a free website such as If your company uses an anti-virus software suite, you may finda password generator somewhere in that suite.

But now I have a lot of passwords to remember!

Yes, you do. One for each account you have if you follow the advice of US-CERT. That's why you should now think about using a password manager. Your company may already have one chosen for you. If you don't have one, here is one list of free ones you can check out.

Of course, one obvious solution is to buy a small notebook and WRITE YOUR PASSWORDS DOWN manually. Not very high-tech, but it can be a very effective approach. As long as you keep you book handy (but in a safe place), don't give it to anyone, and don't lose it…then a physical book can be a very safe approach. No hacker who breaks into your computer can steal your physical book of passwords. They can only steal what is stored digitally on your computer.

Still not sure what to do? Amaxra is here to help.

Don’t let weak passwords put your brand and your business at risk. Amaxra can help you implement effective password management solutions and strong passwords that follow US-CERT guidance. Contact to have one of our consultants discuss security options with you.