Choosing Good Passwords

We stumbled across the following article recently regarding Choosing Good Passwords, and thought it was definitely worth sharing. It’s from 2009, but all the guidance is still valid today. We strongly recommend you create one or more Password Generator Policies within Passwordstate, which encourage your users to use complex passwords.

Article Source –

How hard is it to choose a good password? Most people believe that choosing a good password is easy. After all, how is somebody going to guess my wife’s maiden name?
In reality, people usually choose poor passwords. In 1990 [Klein 1990] an attempt to crack a large password database revealed over three hundred passwords in the first fifteen minutes! One fifth of all password were obtained in the first week and approximately one quarter were cracked by the end of the search. More than half of the cracked passwords were six characters or less and some accounts didn’t even have a password.

An intruder only needs one password!

Choosing a good password is a trade-off between something that is difficult to guess versus something that is easy to remember. While@G7x.m^l is probably a good password, nobody will remember it and it is certain to appear as a sticky note attached to a terminal. Conversely, your first name is very easy to remember, but it is also trivial to guess.

Some simple rules of thumb

Some simple guidelines that will help you choose better passwords are:

  • A password should be a minimum of eight characters long.
  • Try to include some form of punctuation or digit.
  • Use mixed case passwords if possible.
  • Choose a phrase or a combination of words that make the password easier to remember.
  • Do not use a word that can be found in any dictionary (including foreign language dictionaries).
  • Do not use a keyboard pattern such as qwertyui or oeuidhtn (look at a Dvorak keyboard).
  • Do not repeat any character more than once in a row like zzzzzzzz.
  • Do not use all punctuation, all digit or all alphabetic.
  • Do not use things that can be easily determined such as:
  • Phone numbers.
  • Car registration.
  • Friends’ or relatives’ names.
  • Your name or employment details.
  • Any Date.
  • Never use your account name as its password.
  • Use different passwords for each machine.
  • Change the password regularly and do not reuse passwords.
  • Do not append or prepend a digit or punctuation mark to a word.
  • Do not reverse words.
  • Do not replace letters with similar looking numbers. For instance, all of the letters i should not be blindly replaced by the digit 1.

    Cracking passwords

    The principle behind password cracking is quite simple: take a large word list, encrypt each word and check if the encrypted string matches the user’s password. Word lists that are used frequently include English and other language dictionaries, common names, pet names, television and movie characters, character patterns on keyboards (for example, qwerty) and jargon or slang terms.

    To allow for the case that the user has not chosen a word in your word list, an intruder can and usually will apply a large number of simple rules to each word in the word list and check if any of these encrypt to the user’s passwords. Typical rules include appending and prepending digits and other punctuation characters to words, reversing words, capitalising words, converting words to all upper or all lower case, substituting letters or digits for other letters and naturally many combinations of these. Since computers are fast, applying these rules and encrypting the resulting guess doesn’t take much time and a lot of guesses can be made in a very short time.

    In addition, a CD based database is supposed to have been produced that contains every word in a large dictionary plus many rule based permutations of these words encrypted in every possible manner. This reduces password cracking to a simple (and fast) database lookup.

    How long is a good password?

    The simple answer to this is that in general the longer the password the better.

    Assuming that you’re using a reasonable selection of characters for your password, say letters and numbers, then the following table presents the number of passwords possible for the various choices of length. It also includes an estimate of how much time would be required to crack the password using a brute force attack.

    The cracking time field is derived from a report in September 1993 that claimed the record for the speed of cracking passwords. The claim was that 6.4 million passwords per second could be tested. Given that computer speeds are increasing continuously, the following times are almost certainly over estimates of the actual time required.

    Number of passwords for each length

    Number of Passwords

    Number of passwords

    Cracking Time



    Not nearly enough

    Try this by hand



    Three thousand

    Almost no time



    One quarter of a million

    Less than one second



    Fourteen million

    Two seconds



    Almost one billion

    Two and a half minutes



    Fifty six billion

    Two and a half hours



    Three and a half trillion

    One week



    Two hundred trillion

    One year



    Thirteen quadrillion

    Seventy years



    Eight hundred and forty quadrillion

    Forty centuries




    A quarter of a million years



    Even more

    Sixteen million years

    Having said that longer is better, it is important to note that many machines artificially restrict the length of the password usually by silently truncating what you enter to their maximum length. Since this length is often eight characters under Unix, the rest of this article will assume that an eight character password is being used.

    What characters should a good password contain?

    The previous section assumed that passwords consisted of upper and lower case letters and digits. What happens if this character set is increased or decreased? The following table presents some of the options for eight character passwords:

    Number of eight character passwords
    Type of Password

    Number of

    Number of

    Cracking Time

    7-bit ASCII



    Three hundred and fifty years

    Printable Characters



    Thirty three years

    Letters and Numbers



    One year

    Letters only



    Ninety six days

    Lowercase with one Uppercase



    Three days

    Lowercase only



    Nine hours

    English words: eight letters or longer



    Less than one second

    So clearly, the richer the character set being used, the harder it will be to crack passwords. You should attempt to include as a minimum both upper and lower case characters and if possible, you should also include some digits, punctuation symbols and/or control codes in your password.

    Rarely used passwords and secure storage

    There is one situation where writing down your password is a good idea – protecting something important that doesn’t require credentials very often. For instance, the root password on a server probably doesn’t need to be used every day.

    In a case like this it is a good idea to create a long, very complex password that is hard to remember, write it down and store the password in some kind of secure storage (like a safe). On the rare occasion that the password is needed it can be retrieved from storage and used (and the password then returned to storage). The password should still be changed regularly.

    Balancing Risk

    Of course, situations vary. If you find that you (or your users) have a tendency to forget passwords and start making simpler, less secure passwords it may be better to use a complex password and write it down.

    Just remember that if anyone gets a hold of the written down version they have a free pass into the system. Any written down passwords should not be kept on or near your computer and preferable should not be kept near any information that identifies you. Store it securely – a locked drawer is much better than your wallet.

    Examples of how to construct good passwords

    So now that typical bad passwords have been discussed, how is a good password constructed? Try combining two or more words together or taking the first (or second or last) letter of each word in an easily remembered phrase. Then mangle the result by adding capitals, digits and punctuation characters. As an extra measure, control characters can also be introduced.

    Some examples of using multiple words with punctuation

    Here is a pair of good examples of using multiple words:

  • gOt%L0st! – got lost!
  • heLP4me$ – help for me (money)

    And here is a bad one:

  • T0gether – to get her

    Some examples of using a phrase

    Here are three good examples of using phrases:

  • rsKf0myH – Raindrops keep falling on my head.
  • wru2rxy? – Who are you to ask why.
  • bWiIso3! – Beware the ides of March!

    And here is a bad one:

  • Aaaaaaaa – Always assert an ambiguous axiom and argue aggressively.

    Passwords to never, EVER use

    There is a very handy list of the worst 500 passwords over at What’s My Pass? In addition to that, all the sample passwords listed in this article are now known, and should not be used by anyone.


    KLEIN 1990

    Klein, D.V.; “Foiling the Cracker”: A Survey of, and Improvements to, Password Security, (revised paper with new data) Proceedings of the 14th DoE Computer Security Group, May 1991.

    What’s My Pass?

    The Top 500 Worst Passwords of All Time, November 2008

Article Source –

Generate Random Passwords

Passwordstate has a quite capable Password Generator, and can be used in a couple of ways – each user can have their own personal Password Generator options, or specific options can be assigned to individual Password Lists. We’ll run through some of the options now:

Alphanumerics & Special Characters
You can specify what letters, numerics and special characters will use when generating passwords, but selecting the appropriate options on the ‘Alphanumerics & Special Characters’ Tab. Options are:

  • Include Alphanumerics & Special Characters – if omitted, then only ‘Word Phrases’ will be used to generate the passwords
  • Length – specify the minimum and maximum length of characters/numbers generated
  • Lower-case – choose if you want to include lower-case characters
  • Upper-case – choose if you want to include upper-chase characters
  • Numbers – choose if you would like to include numbers
  • Include higher ratio of alphanumerics vs special characters – if you also choose to include special characters, then you can choose to generate a percentage of alphanumeric characters than special characters
  • Include ambiguous alphanumerics – characters like I , l, and 1 maybe be confusing as it’s difficult to read what they are, and you can choose to ignore these characters
  • Include the following special characters – you can use the predefined ones, or modify to suite your own requirements
  • Include the following brackets – again, you can choose the predefined brackets, or just specify the ones you want to use
Alphanumeric Password Generator Options

Alphanumeric Password Generator Options


Word Phrases
To make the passwords a little easier to read and remember, you can also choose to insert random words within the password itself. There are 10,000 random words which can be used. Options are:

  • Include Word Phrases – to include them or not
  • Number of Words – how many words you would like inserted in the password
  • Maximum Word Length – specify the maximum length of the word which will be generated
Word Phrase Password Generator Options

Word Phrase Password Generator Options


Generate Passwords
And now that you have specified all the settings for generating your password(s), on this tab you can specify how many passwords you would like to generate.

Generate Random Passwords

Generate Random Passwords


We hope you find this blog post useful, and please let us know if you have any other suggestions for posts you would like to see about our Password Manager software.

Click Studios

Passwordstate 4.5 Released with Password Generator

Hi Everyone,

Passwordstate 4.5 is now available with the following changes:

  • New – Added Random Password Generator allowing bulk creation of passwords (Ref 45.01)
  • New – Added optional feature for automatically generating a random password when creating a new password record (Ref 45.02)
  • Fix- Fixed a bug where IPv6 IP Addresses could not be added to the Audit table (Ref 45.03)
Passwordstate Password Generator

Password Generator


For customers wishing to upgrade, please follow these instructions:

[Read more…]