Reg Exp
Web Design
Notes Client
What Makes A Good Password?
There has been a lot of talk around the office lately about passwords and what's the definition of a "good" password. Obviously, a password that can't be broken is a "good" password. But there's a trade-off between passwords that are easy to remember and passwords that are difficult to break. Let me describe a couple ways to create "good" passwords.

First, let me point out that the passwords that 90% of us use are not good passwords. The name of a pet, your mother's maiden name, or anything that can be found in a dictionary can easily be compromised. And using the "tricks" where the letter 'o' becomes the number '0' (there's more) doesn't help - dictionary attack programs know these tricks. So your passwords have to be something more substantial than that.

I'll give you two techniques here. The first is to take a phrase and manipulate it with words that sound the same but are spelled differently. You want to use a phrase that is obscure so it won't be found in any dictionary. For example, if your parents said something to you when you were a kid and you've never heard it since, that would be a good candidate. Or a product slogan from a product that isn't around any more.

For example, let's take the phrase "dare to be you". We'll now manipulate it to be our password. The word "dare" can be manipulated in a couple of ways. First, the "e" can become a "3" (using one of the "tricks" that everyone knows). And you could also use your own rule that every "a" becomes a capital "Q" or something. Just one simple rule that you always use. So "dare" becomes "dar3" or "dQre" or "dQr3".

The word "to" can be changed to "too" or "two" or even the number "2". And the letter 'o' can be replaced by the number '0' to give us "t0" or "t00" or "tw0". So there's lots of possibilities there.

Next, "be" can be changed to "bee" or "b" or "b3" or "b33" or (with the letter 'b' becoming the number '8') "8e" or "8ee" or "8" or "83" or "833". Again, lots of manipulations possible.

Finally, "you" can become "ewe" or "u" "y0u" or "3w3" or others. Putting these all together you have a pretty secure password because it's not based on something found in a dictionary. And even if someone knew your "catch phrase" (which they shouldn't because the phrase shouldn't be that obvious) then all the different permutations of things makes it difficult to crack.

But an even more secure password comes from writing your own set of rules. Remember when you were a kid and you and your friends had a "secret code" to "encrypt" notes that you passed? This technique follows that same thinking. First, set up your code by defining what each letter maps to. For this example, we'll make it as simple as possible and say that every letter maps to exact opposite in the English language. So 'a' maps to 'z', 'b' to 'y' and so on. Yours should be more complicated than that.

Next, you're going to need to add a couple more simple rules. For example, every 4th letter is capitalized. And right after that capitalized letter is a sequential number starting with 1. Then you take your user name and apply your rules and you end up with your password.

For example, let's say I have a user name of "mattholthe" and apply the rules listed above. The letter 'm' becomes 'n', 'a' becomes 'z', 't' becomes 'g', 'h' becomes 's', 'o' becomes 'l', 'l' becomes 'o', and 'e' becomes 'v'. Every 4th letter is capitalized and is followed by a sequential number starting with 1. So for the user name of "mattholthe" I have a password of "nzgG1sloG2sy". Think anything's going to crack that password?

As long as you can remember your user name, you can figure out your password. And even if you need help remembering your rules, that help can be written down in a way so it's not obvious that it has anything to do with your passwords.