Disclaimer: I’m not a security expert. The advice in this post is based on recommendations from security researchers and consultants.
I use two methods for creating passwords:
- Use software to create and store passwords. My favorite is LastPass.
- Use a scheme to create and remember passwords myself (without software). The rest of this article tells how.
Password security factors
In most cases, a password’s length and uniqueness are more important than its entropy (randomness). Why?
- Length matters because, in general, each additional character makes it harder to crack.
- Uniqueness matters because cracking software will try common passwords and passphrases.
- Entropy isn’t as important because the cracking software doesn’t “know” which characters you’ve used, so it needs to try all combinations anyway.
Steve Gibson has an excellent explanation on his Password Haystacks page. He says,
The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn’t know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.
Create memorable passphrases
Most security experts now recommend creating passphrases that are long and unique, yet memorable. How? Here’s one popular example from the webcomic xkcd, #936 Password Strength:
The xkcd method is approved by security expert Bruce Schneier in Recent Developments in Password Cracking. It’s fine to use multiple dictionary words as long as they’re “random”, or words that wouldn’t normally be found together. So, you shouldn’t use something like “lion witch wardrobe” because those words are frequently found together. Instead, use something like “lion paper weight rose”.
Many experts will tell you passphrases like the xkcd one are fine, and they may be right; they know the math better than I do. However, I feel more comfortable using passphrases with uppercase, lowercase, numbers, and special characters because the more character types you use, the more permutations the cracking software needs to try. Some experts feel the same; see the Common Questions & Answers on the Password Haystacks page, and Mark Burnett’s Analyzing the XKCD Passphrase Comic. So, you might end up with a passphrase like “lionPaper1weight$Rose”. Secure and memorable!