How to create a good password

How-to
By Jerry Hildenbrand
published

Every person reading this needs to know a password or two. Probably a lot more than two. So much of what we do every day is done online where being able to safely and securely identify ourselves is uber-important, and companies offering services are obligated to give you what's needed to make that happen. That means a username and a password.

It also means that your password simply has to be good. In this case, "good" means complex enough so it's not easy to guess, difficult to brute-force, and there's an easy way to manage them all because you never use the same password twice. It's complicated and a part of everyday life.

Making good passwords and keeping track of them all can suck. Here's a fun little test: open 10 instances of a blank page in any note taking app or program. In each, type out a random string of characters. Now go back and look at them all and see if you can find the places where your typing is anything but random. It will be because of ergonomics and whatever keyboard we use (physical or virtual) has the same characters in the same place. If furiously banging (or tapping) on keys can't create a random password, what can we do?

A good password

Typically, a good password is eight unique and randomly ordered characters, written in the form of a single word. That doesn't mean a passphrase that's eight characters long, but that there are eight characters — including numbers, symbols, and punctuation — in the passphrase that are not repeated. Why eight? Because that's what researchers have determined: eight characters bring the minimum amount of information entropy) needed to be secure. I'm a bit of a math nerd and in case you are, the formula used to calculate how much entropy a password has is:

H = log2 NL = L log2 N = L logN/log2

Where N = number of possible characters, L = number of total characters in the passphrase. H = entropy in bits (log is any base).

That's not very useful to anyone who isn't an information security analyst who specializes in cryptology, math nerd or not. It's just here to show that there are people who have figured things out and recommended to Google that it require an eight-digit password. For our purposes, a good password is one that is complex enough to meet the criteria without making our head spin around in circles. According to those folks mentioned above a good human-generated password should:

  • Use a minimum length of 8 unique characters, and up to 15 if permitted.
  • Include lowercase and uppercase alphabetic characters, numbers and symbols if permitted.
  • Be unique.
  • Include no words found in any dictionary of any language.
  • Include no proper names.
  • Include no numerical information about yourself (no birthdays, anniversary dates, etc.).
  • Contain no numeric sequences based on well-known numbers (911, pi, 999, etc.).
  • Be accompanied by easy to guess password restore security questions.

OK, so this means we're probably not going to want to use something like ABC123 or OICU812. There's a reason for this, and it's one we can all understand — computers have become incredibly powerful in a very short time and cracking passwords using brute-force attacks can be automated on rented equipment.

You can even try to crack passwords using a phone instead of a supercomputer. Technology has come a long way in the last 10 years.

An attacker can rent an unlimited amount of GPU cores from Amazon for as little as $3 each and use them to run dictionary-based attacks against lists of known accounts until Amazon catches on and shuts them down. The people who do this aren't looking for you or me (unless we're like rich and famous) and are instead just trying to breach as many accounts as possible. It really sucks when one of those accounts is yours.

Making a good password

Now that we can appreciate how difficult a task researchers and cryptologists face when they decide what constitutes a good password, let's talk about how to make one.

There won't be any math here because the answer is simple — use the password generator tool that a good password manager has. There's no reason not to do it — you'll need some sort of password management system that you can keep with you and there are plenty of good password manager apps available for free in Google Play. If you insist on generating your own password by hand, remember the basic guidelines above and don't keep a list of your passwords on your phone. It can be done, even though it's a lot more work.

If you decide to let the pseudo-random wizard inside a password manager app build passwords for you, here are a few tips:

  • Make a strong master password and change it every six months.
  • Don't keep a copy of the master password on your phone but do keep a copy somewhere safe.
  • Make every password a minimum of 8 characters.
  • Blacklist characters that are hard for a human to read (the numbers zero and one, the lower case letter L, the upper and lower case letter O, and the piping symbol | are examples). You might need to enter the password by hand from time to time!

Also, make sure to keep your password manager app up to date and only use one from a company you trust. And don't forget to use two-factor authentication for every account that offers it.

More: Best Password Managers for Android

Have you listened to this week's Android Central Podcast?

Android Central

Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.

  • Subscribe in Pocket Casts: Audio
  • Subscribe in Spotify: Audio
  • Subscribe in iTunes: Audio
Jerry Hildenbrand
Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.