Password best practices (part 1)

Why is this important?

With more and more of our personal information going into the “cloud” and one of the most common crimes being identity theft, account security is of the utmost importance. I’ll cover many different aspects of maintaining a secure presence online, but today am focusing on passwords.

Why is password security hard?

The human brain is not well equipped to handle good password security like it is with physical security. That which makes passwords hard to crack also make them hard to remember. For example, a good password following traditional advice is: TR9rIMwT^JXkns^&$XU&v9!x. Do we really have the capability to remember such a password? This is a problem almost everyone faces when dealing with password security.

What’s the solution?

The solution comes in two parts. This post will cover selecting a secure password that is both hard to crack and easy to remember. It is called “Password Haystacks” and comes courtesy of Steve Gibson of

Lifted from his site:

Which of the following two passwords is stronger, more secure, and more difficult to crack?


You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two!

If you want a semi-technical explanation, go to GRC’s Haystacks page. If not, keep reading for my layman’s explanation below.

Steve did some number crunching and realized that when it comes to cracking a password, length almost always trumps complexity. If you have a minimum of complexity (at least one character from the uppercase, lowercase, numbers and symbols groups), then anything you do to make it longer is almost as good as the same length of hard to remember gibberish. Like the password examples above, just one more character in length, even though it looks simple, more than doubles the time needed to crack a password.

Lets give some more examples:


According to GRC’s calculator, it should take “9.38 hundred billion trillion centuries” to crack under the best circumstances. I’m sure you can remember that.


According to GRC’s calculator, it should take “1.12 minutes” to crack. A very bad example.

You can even use something like your name:
76.43 million trillion trillion centuries

Maybe something even simpler:

God I love Hershey bars!
65.10 billion trillion centuries

Or add a number or two:

God I love Hershey bars!56
8.47 thousand trillion trillion centuries

Even better.

If you don’t like sentences, one of the most common password is “monkey”:

1.21 hundred trillion centuries

Or pad the password, as Steve suggests:

19.31 trillion centuries

Or, even this:

91.92 thousand trillion centuries

As you can see, there are many ways to create length without sacrificing rememberability.

To sum up: length, length, length. Having a longer password is drastically better than having a complicated password. Make your password long, easy to remember and type out. It’s one of the easiest ways to protect yourself online.

Do you want to see how your favorite password stacks up? Head over to GRC’s Haystacks page and see how long it takes to crack.

Coming next time

For a part two hint, head over to Lastpass's site. We'll be discovering how easy it is to have different passwords for each site in a secure, easy manner.

10 notes

  1. dmangus posted this