Philosophical Multicore

Sometimes controversial, sometimes fallacious, sometimes thought-provoking, and always fun.

Password Security

Posted by Michael Dickens on July 3, 2009

How do you know if your password is secure? Here I provide some explanation as well as some tips.


Notice: All password length estimates are for moderate security; for extremely long-term or high security, the password should be half again as long. Longer than that is excessive. It is possible to get away with passwords about half as long (see this for some real-life timing data) but for a good security margin, passwords should be as long as my estimates. Modern encryption algorithms use 128-bit keys, even though according to Moore’s Law those won’t be breakable for another hundred years. Really secure systems use 256-bit keys, which won’t be breakable for another three hundred years if all goes well. So since encryption algorithms are conservative, I will also be conservative, and will assume a 128-bit margin of security. It is possible to get away with less, but a truly secure password should contain 128 bits of information.

In the best-case scenario, your password is a random combination of characters. And I don’t just mean letters: I mean all characters. There are 95 possible characters total (see Wikipedia). For good security, a completely random password should be at least 20 characters long.

But you’re probably like the rest of us, and have difficulty memorizing (not to mention typing) that sort of thing. So let’s restrict passwords to only letters (capital and lowercase) and numbers, allowing for 62 characters. A completely random password of this sort should be 22 characters long. But if it’s not random, you can still get away with the password being close to the same length; as long as it’s fairly unpredictable and relatively immune to a dictionary attack (see below), 25 to 30 characters should suffice.

If only lowercase letters are included, 28 characters are necessary to ensure security. Unless, of course, the password isn’t random. If it’s made up entirely of words, it should be more like 60 characters.

A password made up of numbers only is very impractical, and I don’t recommend it. Firstly, they’re hard to remember. On top of that, you need 40 random numbers to have really good security.


A dictionary attack is a powerful way of determining someone’s password, and you’ll want to be sure you’re protected against it. A dictionary attack is where someone looks through the dictionary and tries every single word to see if it’s your password. There are also variants, where it tries, for instance, every word in the dictionary followed by the number 1, the number 2, etc. There are also more complicated variants that factor in multiple words and combinations of numbers.

It is acceptable if your password contains words, but they should be surrounded in numbers and/or random characters for protection against dictionary attacks. Try using a made-up word that only you know, or a number sequence that has a special meaning to you.

See this site for more information.

Have some method of differentiating passwords based on what the password is for.

One way to generate unique passwords is to choose a base password and then apply a rule that mashes in some form of the service name with it. For example, you may use your base password with the first two consonants and the first two vowels of the service name. Say your base password is “asdf.” (See how easy those keys are to type?). Then your password for Yahoo would be ASDFYHAO, and your password for eBay would be ASDFBYEA.


For most web pages, the password I use is a made-up word that only I know. It also has a special form of capitalization, making it even harder to guess.

For more secure purposes, I use two obscure words intermixed with a seemingly random number sequence that has meaning to me, but is virtually unguessable. I recommend something like that for good security. Additionally, though, I don’t just type the two words. Since I am fluent in multiple keyboard layouts, I can set my computer to use one layout but type in the other layout. The result is a string of apparent gibberish. (If I retype the previous sentence using this method, it comes out as “Fek lkjiof ;j s jfl;dg aw svvslkdf y;cckl;jep”.) It’s not hard to decipher if you know the layouts that I use (especially now that I’ve told you), but it makes the password appear random to someone who doesn’t know what I did. If you can do anything similar to this layout change, you definitely should.

Try having multiple words in your password, each in a different language. This makes dictionary attacks much harder, as two or more languages have to be searched. English has far more words than any other language, so try one obscure English word and one word in some other language. It could be an obscure word in a common language such as Latin, or just some word in an obscure language such as Swahili.

At this site, you can find some more info on password security, as well as a password security meter. Check it out.


One Response to “Password Security”

  1. LRFLEW said

    Say you are using a mac (which I know you have). There is a program called Keychain Access. In there, go to File>New Keychain… . Create a Keychain that has a long, but memorable password. When you need to make a very secure password on the internet, go to File>New Password Item… , and put in the name of the site (or a codename, to be more secure), and use the random code generator in there to make a very long, and powerful password. Do this for all the sites you want. For easy access, go into Keychain Access>Preferences… , and select “Show Status in Menu Bar”. That way you have all your passwords under a simple password, but hackers would need direct access to you computer to use that code, and the passwords they do have access to are extremely hard to crack.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: