What Makes A Password Good Or Bad?

12 July 2017
 Categories: , Blog


Many websites and network-based services have password requirements that sound like something out of a World War II code book. There are reasons for the complexity in some cases, but since anyone can make up any password requirements they want, there are some silly and excessive requirements out there that do more harm than good. To understand the password requirement conundrum for both your own personal password creation and for writing site policies, here are a few password security details.

How Many Letters? What Special Characters?

Password requirements on many websites have requirements along the lines of minimum 8 characters, with letters, numbers, and special characters. To understand why this is necessary to an extent, you need to know the embarrassing ways that "hackers" in the early 2000's and prior--and unfortunately, a few institutions today--were able to break into computer systems.

One popular form of password breaking or cracking was the dictionary attack. This is an automated set of code called a script that simply tries all words in the dictionary. There are improvement upon the attack, such as trying different capitalization. Many early computer users had too much trust in the system, partially because there was little reason to break into computers and few people who had the means to try.

When financial and government institutions got into the internet, there was obvious incentive to try. Making a password more complex by adding numbers and special characters means that a brute force attack has to try harder--by spending more time--to break in. It increases break-in time to hours, or even years by estimation unless the attacker gets lucky.

Other protections against dictionary attacks are limiting the amount of logins. If you've ever wondered why your account gets locked after a certain amount of tries, it's because the system is designed to slow down automated attacks. You getting the password wrong is an unfortunate consequence that is fixed by memorizing your password properly, but what happens if password requirements are ridiculous?

Bad Password, Good Password, Or Weird Requirements?

A "good" password is a subject under constant debate, but the current middle ground is a mixture of letters, numbers, and special characters while avoiding single dictionary words. This means that instead of using the word "dresser", you're combine "dresser" and "mirror" with a few other requirements. 

Here's an example of how to turn dictionary words into passwords that you can memorize. Dressers, for example, are made of wood usually. Avoid obvious associations, which means don't use oak, pine, or other wood types along with the word dresser. Instead, think of something personal that you associate with the dresser, such as a picture, specific content, or a memory of the dresser.

Good passwords, including upper and lower case letters with special characters, would be:

  • FlashlightDresser2003
  • DresserFromMargaret4000

Or, using the 1337 trend from the 90's internet culture to replace letters with numbers:

  • FL45h19h7Dr3553r2oo3
  • Dr3553rFr0mM4r94r374ooo

Some websites need 10, 15 or more character passwords. This is a notorious part of some government and military systems, and just as notorious is a password sequence used by the lazier users to get around the system:

  • [email protected], from pressing the top letter row with caps off, then on, and then 1 and 2 in the same way. The same thing can be done along any row of keys.

To avoid such common password exploits that can be guessed, secure password managers can create highly-complex passwords that can't easily be guessed. You can use a master password to access the system, so contact a password management professional to get an understanding of the system and other requirements.