Good Password Guidelines – How to Make a Strong/Secure Password

It’s common sense for most people on the hacking side of computer security as we know how easy it is to break a password when it’s only a few characters long or it uses a dictionary word (even if it is postfixed with a couple of digits, a hybrid dictionary attack breaks it pretty fast).

Even more so if you are utilising some decent Rainbow Tables and the RainbowCrack method (time/memory trade-off).

The basics of creating a secure password:

  • Include punctuation marks (,.;), special characters (!#$%^) and numbers.
  • Mix capital (uppercase), lowercase and space characters.
  • Create a unique acronym.
  • Short passwords should be 8 chars at least.

Some potential weaknesses to avoid:

  • Don’t use a password that is listed as an example or public.
  • Don’t use the same password you have been using for years.
  • Don’t use a password someone else has seen you type.
  • Don’t use a password that contains personal information (names, birthdays or dates that are easily related to you)
  • Don’t use words or acronyms that can be found in a dictionary.
  • Don’t use keyboard patterns (qwerty) or sequential numbers (12345).

Once you have a good password it’s equally important to keep your password secure:

  • Never tell anyone your password or use it where someone can observe it.
  • Never send your password by email or say it where others may hear.
  • Occasionally verify your current password and change it to a new one.
  • Avoid writing your password down. (Keep it with you in a purse or wallet if you have to write down the password until you remember it.)

And never label that scrap of paper in any way, write it down on an the back of an old businesscard or something that doesn’t indicate it’s a password.

Don’t give anyone who finds (or gains access to) your purse/wallet any clue of what the password means or what it is related to.

128 bit entropy in a password requires a long randomized passphrase, which wouldn’t be very usable, there has to be a trade somewhere between security and usability.

You can also use online password generators such as, the problem with these however, is that they do create strong passwords but they aren’t easy to remember, which kind of defeats the purpose.

Another thing you can do is use something like a password safe to keep all the hard to remember passwords in one place, the one I would recommend is from Bruce Schneier and is actually called “Password Safe”.

Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP).

You can find it here:

Any other inputs?

Digg This Article

Posted in: Countermeasures

Latest Posts:

tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.

14 Responses to Good Password Guidelines – How to Make a Strong/Secure Password

  1. Jeroen April 19, 2006 at 6:39 am #

    We (my colleages and I) use longer sentences which can’t be calculated because they are very long, but still easy to remember.

    Example: The name of my kitten is “Tiger”!

    It has a ! and “” and even lower and uppercase characters.

    Still your other rules are very important, don’t tell them to anybody and don’t choose an to obvious sentence. Proverbs work great b.t.w.

  2. Darknet April 19, 2006 at 8:54 am #

    Jeroen: Yah I agree, quite a lot of people use the passphrase technique as it yeilds very complex passwords with only a little effort

    Like your examples you can do:

    “My car is red with plate 3456”

    Which would give you the pass Mciswp3456

    Of course must use in combination with the other rules!

  3. Jeroen April 19, 2006 at 8:59 am #

    Yes Indeed!

    Another: replace parts of the sentence with numbers

    Example: This 1 is hard 2 crack!

  4. John Preston April 19, 2006 at 10:53 am #

    Personally, I prefer ‘KeePass’ as my password safe. It uses AES and Twofish, allows use of a passfile aswell as a password. And because it doesn’t hook into the registry and saves the passwords to a database, you can stick it on your USB stick aswell!

    KeePass Homepage

  5. Ubourgeek April 19, 2006 at 6:19 pm #

    I use the previously mentioned passphrase technique, hash it using leetspeek (may be lame but it works) ’cause I’m a Geek, then toss a “special” character and an extra number on either end.


    Passphrase: Did you get four hundred thousand computer viruses?

    Number of words in passphrase: 8

    “Special” Character: ?

    Resulting Password: ?dygfh7Cv8 or 8dygfh7Cv?



  6. Darknet April 20, 2006 at 8:05 am #

    John Preston: Thanks for that, Keepass looks pretty neat.

    Ubourgeek: Yah that really does make a strong password, it’s good to combine all of the above techniques..end up with something memorable yet very strong!

  7. Richard Harlos April 25, 2006 at 2:34 pm #

    My preferred method of password generation is to take a sentence or line from a song and then use the first letter of each word in that sentence/line, putting vowels in one case and consonants in another, finally postfixed with numerals that indicate how long that password is including the numerals, e.g., if the line I wish to use is:

    “You and me against the world”

    My password would be “YaMaTW7”

    The longer the line/sentence, the more difficult to brute-force crack it.

  8. Danilo Cicerone April 28, 2006 at 8:29 am #

    Try this passwords generator too:

    for testing and fun!

  9. Daniel June 4, 2007 at 9:05 am #

    i usually make a simple hash of the site domain and like … my phone number with the shift key

  10. Tara (PassPack) June 4, 2007 at 11:58 pm #

    A recent password hacking contest showed that “complexity” actually matters less than length. I just posted about it here:

    Choosing Passwords: Long is Strong

    Jeroen has got the right idea – pass phrases are a best bet.

    Tara Kelly
    PassPack Founding Partner

  11. Torvaun June 5, 2007 at 7:47 am #

    Being a math geek as well as a computer geek, I tend to use mathematical expressions or constants for passwords. ‘e=2.71828’ ‘answer:42’, that kind of thing. Hard to brute force, easy to remember. And of course, being a security minded geek, neither of those is used for a password for anything Internet accessible.

  12. Tara (PassPack) June 5, 2007 at 2:30 pm #

    That’s actually a good method. Here’s another good one over at Significant Figures that uses molecules:

    But still – how do you remember which formula you used on which site? Why not come up with a great master pass for a password manager, and then forget about all the rest.

    Just an idea ;)

  13. Torvaun June 5, 2007 at 2:59 pm #

    Remembering what I used where is the biggest problem I have with this system, but I’m pretty good at remembering the passwords I use most often. The rest, I just run through all of my passwords until I get the right one.

  14. Tara (PassPack) June 6, 2007 at 9:44 am #

    You’ve got a good memory then – I’d never manage. Just make sure you have a lot of these passwords though. Ideally you should have a different one for every site. But at the very least, make sure that you have unique passwords fro each banking and email account.