Good Password Guidelines – How to Make a Strong/Secure Password

It’s common sense for most people on the hacking side of computer security as we know how easy it is to break a password when it’s only a few characters long or it uses a dictionary word (even if it is postfixed with a couple of digits, a hybrid dictionary attack breaks it pretty fast).

Even more so if you are utilising some decent Rainbow Tables and the RainbowCrack method (time/memory trade-off).

The basics of creating a secure password:

  • Include punctuation marks (,.;), special characters (!#$%^) and numbers.
  • Mix capital (uppercase), lowercase and space characters.
  • Create a unique acronym.
  • Short passwords should be 8 chars at least.

Some potential weaknesses to avoid:

  • Don’t use a password that is listed as an example or public.
  • Don’t use the same password you have been using for years.
  • Don’t use a password someone else has seen you type.
  • Don’t use a password that contains personal information (names, birthdays or dates that are easily related to you)
  • Don’t use words or acronyms that can be found in a dictionary.
  • Don’t use keyboard patterns (qwerty) or sequential numbers (12345).

Once you have a good password it’s equally important to keep your password secure:

  • Never tell anyone your password or use it where someone can observe it.
  • Never send your password by email or say it where others may hear.
  • Occasionally verify your current password and change it to a new one.
  • Avoid writing your password down. (Keep it with you in a purse or wallet if you have to write down the password until you remember it.)

And never label that scrap of paper in any way, write it down on an the back of an old businesscard or something that doesn’t indicate it’s a password.

Don’t give anyone who finds (or gains access to) your purse/wallet any clue of what the password means or what it is related to.

128 bit entropy in a password requires a long randomized passphrase, which wouldn’t be very usable, there has to be a trade somewhere between security and usability.

You can also use online password generators such as, the problem with these however, is that they do create strong passwords but they aren’t easy to remember, which kind of defeats the purpose.

Another thing you can do is use something like a password safe to keep all the hard to remember passwords in one place, the one I would recommend is from Bruce Schneier and is actually called “Password Safe”.

Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP).

You can find it here:

Any other inputs?

Digg This Article

Posted in: Countermeasures

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

14 Responses to Good Password Guidelines – How to Make a Strong/Secure Password

  1. Jeroen April 19, 2006 at 6:39 am #

    We (my colleages and I) use longer sentences which can’t be calculated because they are very long, but still easy to remember.

    Example: The name of my kitten is “Tiger”!

    It has a ! and “” and even lower and uppercase characters.

    Still your other rules are very important, don’t tell them to anybody and don’t choose an to obvious sentence. Proverbs work great b.t.w.

  2. Darknet April 19, 2006 at 8:54 am #

    Jeroen: Yah I agree, quite a lot of people use the passphrase technique as it yeilds very complex passwords with only a little effort

    Like your examples you can do:

    “My car is red with plate 3456”

    Which would give you the pass Mciswp3456

    Of course must use in combination with the other rules!

  3. Jeroen April 19, 2006 at 8:59 am #

    Yes Indeed!

    Another: replace parts of the sentence with numbers

    Example: This 1 is hard 2 crack!

  4. John Preston April 19, 2006 at 10:53 am #

    Personally, I prefer ‘KeePass’ as my password safe. It uses AES and Twofish, allows use of a passfile aswell as a password. And because it doesn’t hook into the registry and saves the passwords to a database, you can stick it on your USB stick aswell!

    KeePass Homepage

  5. Ubourgeek April 19, 2006 at 6:19 pm #

    I use the previously mentioned passphrase technique, hash it using leetspeek (may be lame but it works) ’cause I’m a Geek, then toss a “special” character and an extra number on either end.


    Passphrase: Did you get four hundred thousand computer viruses?

    Number of words in passphrase: 8

    “Special” Character: ?

    Resulting Password: ?dygfh7Cv8 or 8dygfh7Cv?



  6. Darknet April 20, 2006 at 8:05 am #

    John Preston: Thanks for that, Keepass looks pretty neat.

    Ubourgeek: Yah that really does make a strong password, it’s good to combine all of the above techniques..end up with something memorable yet very strong!

  7. Richard Harlos April 25, 2006 at 2:34 pm #

    My preferred method of password generation is to take a sentence or line from a song and then use the first letter of each word in that sentence/line, putting vowels in one case and consonants in another, finally postfixed with numerals that indicate how long that password is including the numerals, e.g., if the line I wish to use is:

    “You and me against the world”

    My password would be “YaMaTW7”

    The longer the line/sentence, the more difficult to brute-force crack it.

  8. Danilo Cicerone April 28, 2006 at 8:29 am #

    Try this passwords generator too:

    for testing and fun!

  9. Daniel June 4, 2007 at 9:05 am #

    i usually make a simple hash of the site domain and like … my phone number with the shift key

  10. Tara (PassPack) June 4, 2007 at 11:58 pm #

    A recent password hacking contest showed that “complexity” actually matters less than length. I just posted about it here:

    Choosing Passwords: Long is Strong

    Jeroen has got the right idea – pass phrases are a best bet.

    Tara Kelly
    PassPack Founding Partner

  11. Torvaun June 5, 2007 at 7:47 am #

    Being a math geek as well as a computer geek, I tend to use mathematical expressions or constants for passwords. ‘e=2.71828’ ‘answer:42’, that kind of thing. Hard to brute force, easy to remember. And of course, being a security minded geek, neither of those is used for a password for anything Internet accessible.

  12. Tara (PassPack) June 5, 2007 at 2:30 pm #

    That’s actually a good method. Here’s another good one over at Significant Figures that uses molecules:

    But still – how do you remember which formula you used on which site? Why not come up with a great master pass for a password manager, and then forget about all the rest.

    Just an idea ;)

  13. Torvaun June 5, 2007 at 2:59 pm #

    Remembering what I used where is the biggest problem I have with this system, but I’m pretty good at remembering the passwords I use most often. The rest, I just run through all of my passwords until I get the right one.

  14. Tara (PassPack) June 6, 2007 at 9:44 am #

    You’ve got a good memory then – I’d never manage. Just make sure you have a lot of these passwords though. Ideally you should have a different one for every site. But at the very least, make sure that you have unique passwords fro each banking and email account.