So here goes!
First order of business: Forget about the password, start thinking of the pass phrase. Like it or not, a short sentence can easily be more secure than a complex password. Example 1: Randomly generated password: “Tda,%Bn&x+in”. This has an entropy of 12 upper/lower-case characters, numbers and special signs. It’s also pretty much impossible to remember.
Example 2: “I huggled an owl while sitting in a tree!” has an entropy of 41 lower/upper-case characters and special signs.
How hard are either of these to guess? Lower case characters add 26 variations. Uppercase adds another 26. Numbers add 10 (0-9), and special signs add… let’s say 32. There’s more, but that’s how many I found easily accessible on my keyboard.
Example 1: (26+26+10+32)^12 ~= 4,75 * 10^21 combinations.
Example 2: (26+26+32)^41 ~= 7,86*10^78 combinations.
Clearly, example 2 is much harder to guess at random. Which one is easier to remember? I’d certainly have to write down the password in Example 1, there’s no way to remember that! Example 2? Very easy to remember. Can easily add in more entropy by replacing “an” with “1” (as in ‘ 1 owl’), and get an entropy of 7,91 * 10^80.
All the tech-babble aside, here’s a few tips for making a pass phrase:
- A sentence which makes sense to you. Doesn’t have to make sense to anyone else.
- Spelling mistakes are great, as long as you know you’ll manage to remember them.
- Might be useful to use a sentence which you associate with the service you’re logging in to; Such as “2day’s a great day to blog!”
- Don’t ever use examples you’ve encountered on the web
- Don’t let any third party know of your passphrases.
- Don’t ever use online password-generating services. The connection may be encrypted(https), but that’s no guarantee they’re not compromised or logging the generated passwords in combination with your IP.
- Don’t ever use common phrases, such as a literal song text. If you do, make sure to add a personal twist to it so that a smart dictionary attack can’t guess it.