Best practices when creating a password

Recently, I was discussing "best practices" when creating a password, and here are the "qualifications" I could think of:

- easy to remember or generate
- not the same as your other passwords
- not easy for others to guess
- more than 6 characters
- contains at least one of ALL these: uppercase character, lowercase character, number, "allowed" punctuation-mark

Can you think of any other "best practice"?

Thanks in advance!
-- Dave
LVL 18
Dave FordSoftware Developer / Database AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There are 10 good rules in the following article:

Adopt Long Passphrases. ...
Avoid Periodic Changes. ...
Create Password Blacklist. ...
Implement Two-Factor Authentication. ...
Add Advanced Authentication Methods.
Arrange Regular Employee Training

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
1) - easy to remember

Nope. If you can remember it, likely it's to simple.

or generate...

Easy. I use this simple little script, called random on all my machines/containers...

sub random {
    $ENV{LC_CTYPE} = "C";
    my $bytes = shift;
    my ($pass) = `tr -dc 'A-Za-z0-9' < /dev/urandom | head -c$bytes`;
    return $pass;

my $bytes = shift(@ARGV) || 16; 

my $pass = random($bytes);

print $pass, "\n";

Open in new window

2) - not the same as your other passwords

Correct. At least for me, I use a unique 16-32 byte password for every account.

3) - not easy for others to guess

If you use 16-32 random characters, guessing is possible... if you have data worth dedicating a farm of super computers to crack.

Otherwise you're good.

4) - more than 6 characters

To short, for me. 16 chars is my minimum.

5) - contains at least one of ALL these: uppercase character, lowercase character, number, "allowed" punctuation-mark

Myth. Actual characters don't matter. Number of characters does matter.

I use alpha numerics, so I can cut + paste passwords easily, without working about special characters requiring me to manually drag over characters.
btanExec ConsultantCommented:
Strong passphrase with sufficient length of 12 alpha numeric and easy to remember so that you will not to default to writing down and pasting in post slips
Not too bad for a passphrase like “bolt vat frisky fob land hazy rigid,” which is entirely possible for most people to memorize. Compare that to “d07;oj7MgLz’%v,” a random password that contains slightly less entropy than the seven-word Diceware passphrase but is significantly more difficult to memorize.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Did you ever read this?

How about this:

My password policies are MINIMUM 16 characters.  PERIOD.

And I use KeyPass as a password manager with unique passwords for everything.

AND PLEASE, NEVER answer those security questions truthfully!
not the same as your other passwords

Yes, and no. Its a practice no one is really interested in following in the real world. In a utopia, sure. Good idea in principle, not something the masses will follow.

not easy for others to guess

There is no such thing as an easy to guess password. "Password1!" is just as hard to 'guess' as "sdfkjskldjfDS()*&*(F&897dsfsd" when you're talking about a human trying to random guess a password. Passwords are not guessed though, they are brute forced via dictionary attacks or rainbow tables. A person cannot easily guess any password, no matter how simple you think it is other than random pot luck which doesn't really fly in the real world. The whole hollywood thing of sitting there thinking, oh what was their birthday and their daughters name to guess a password is just rubbish.

more than 6 characters

Yes, 6 is quite low though. I don't see why people cannot remember a phrase 16+ characters long. Easy to remember and tough to crack. Combined with 2FA a winning combination.

contains at least one of ALL these: uppercase character, lowercase character, number, "allowed" punctuation-mark
easy to remember or generate

"Password01!" is considered an insecure password, but it meets your complexity requirements while being easy to remember. Complexity does not equal a strong password. Which is a better password to you?

the cow jumped while fixing my engine

Both are easy to remember.
1 meets your complexity requirements but is considered weak.
1 does not meet your complexity requirement but is considered a very strong password.

I'm really tired of alphanumeric password requirements, because they're rubbish and encourage people to pick easy to crack short passwords. Security questions are a rubbish idea, people usually pick stuff they won't remember or is publicly accessible on their social media profile. When it comes to passwords, length is king. Also 2FA, I think 2FA might have been mentioned many times. But just in case, 2FA. 1 more time, 2FA.
Terry WoodsIT GuruCommented:
Other valuable qualities of a password, in my experience helping people manage their login details, are:

* Start every password with a capital letter. If you ever send someone a password in Outlook, sometimes it capitalises the first letter, and it reduces the number of problems you deal with if you just create them all with a capital letter at the start.
* Avoid special characters unless you have to use them, and just use a longer password instead. They often prevent a double-click of the mouse from selecting the password for easy copying and pasting. This is just a convenience thing.
* Use dictionary words that people have heard about, but aren't related to each other. Capitalising the first letter of each one means you don't need to put space characters into the password. A few numbers at the end are fine too eg CorrectHorseBatteryStaple927 The reason for this suggestion is that the password is easier to communicate verbally to others and you only need to read it a small number of times to be able to type it in. A random collection of characters is much slower to manually enter.

I've found the above ideas extremely helpful when helping people manage their login details, but don't apply to every situation... just use them as you need. They don't give maximum security, but in a lot of cases that's not the only concern. I've dealt with numerous frustrated people who have been locked out of their own account because they've been unable to correctly type a difficult-to-read password!

I also recommend signing your email addresses up to the service to get alerted if any of your accounts are known to be hacked.
Dave FordSoftware Developer / Database AdministratorAuthor Commented:
Thanks to all who responded!

n2fc: Thanks! Those are some good suggestions

David Favor: if your password is truly random, how do you remember the one for each site?

btan: thanks for the suggestion to increase the minimum length

Lee W, MVP:  thanks! If you use a different passphase for each site, how do you remember it?

Learnctx: thanks!

Terry Woods: Thanks! How do you remember the passwords for each site?
Lee W, MVPTechnology and Business Process AdvisorCommented:
Web browser password managers and Keypass.
Terry WoodsIT GuruCommented:
I've been using LastPass which is a (free) cloud based password management tool that is installed to each browser you use as a browser extension. It requires an email address and master password to unlock.

Keypass, as I understand it, creates a local database file containing all your secret data; it requires a master password to unlock.
btanExec ConsultantCommented:
KeePass is nice and a free open source password manager too. As mentioned it is local database. Essentially a flat file encrypted and protected using one single master password or select the key file to unlock the database. Also there is notebook and mobile phone version
Lee W, MVPTechnology and Business Process AdvisorCommented:
I put my Keypass database on OneDrive.  It's accessible to me through iOS, Android, Windows, on any device I have.  And even if OneDrive gets hacked, they have to then hack Keepass... so I feel fairly comfortable this way.
Dave FordSoftware Developer / Database AdministratorAuthor Commented:
So, bottom line, none of you have to actually remember any passwords since you store them in some form of an external database. That's cool. Thanks.
Terry WoodsIT GuruCommented:
I make a point of memorising just a few important passwords: my master password for LastPass, my email account passwords for accessing webmail, and my internet banking password.
Dave FordSoftware Developer / Database AdministratorAuthor Commented:
Personally, I use a password "algorithm" to generate a distinct password for every site. There are an infinite number of possible algorithms, but as long as I stick to the pattern, I don't have to remember ANY password. I just need to remember the one algorithm.

For example, here's a sample algorithm:

- use the first word in name of the site and increment each letter by 2 characters
- append the "number of characters in the password plus 5" to the end
- change the third character to a dash ("-")
- lastly, repeat the same list of digits but backwards

With this algorithm, my password for would be: co-bqp1111pqb-oc

The end result is easy to generate, it's difficult for someone else to guess, and it's almost impossible to "reverse engineer" the algorithm if someone were to find out your password.

(Note that this example is not my personal algorithm. It is only an example that I just made up right now.)

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.