Guessing someone's password is often frighteningly easy. You can make yours harder in a number of ways.

Avoid common passwords

Some systems also prohibit the most frequently used password. If not, those are what a malicious person would try first: 'password', 'secret', 'god', and your username--that's right, some people actually put the same thing in for their username and password. Don't be that person.

If the guesser knows anything about you, they'll go on to trying relatively personal information: your real name and names of your family members (including pets). For topical sites, they maybe try topical terms ('money' for a bank account password). So avoid all those.

Don't assume they'll quit after a dozen guesses

Many websites have taken to adding CAPTCHAs after the first couple incorrect guesses, thus preventing scripted attacks, but others do not. Maybe I can only guess a hundred passwords before I get tired, but it takes a matter of minutes for me to write a program that automatically tries every word in the English language, and once I start it running, I just have to let it go and check back in a few hours. If I'm really into stealing people's accounts, I'll have a dictionary that doesn't just include English words, but also common misspellings, 1337 versions, and perhaps a good number of foreign words.

Note, however, that checking 100 000 words takes a mere 100 000 tries, whereas checking every possible combination of two of those words takes 100 000 * 100 000 = 10 000 000 000 tries. Combinatorics to the rescue! This is why people now recommend a passphrase rather than a password. Limiting yourself to grammatically correct and actually meaningful phrases reduces the keyspace some, but it's a trade-off between easy recall and difficulty of guessing.

Expand your alphabet

This alphabet quite like you normally think of it. It's the collection o symbols used. If you don't mind a long password, your symbols may be words in the English language. You saw how 100 000 * 100 000 is a big number. What if you chose from any of 200 000 words, or 2 000 000 words?

If you don't use words, but merely characters, your password can be relatively short and still really hard to guess. You don't just have the twenty six characters a-z, but also A-Z (passwords are almost always case-sensitive), and why not throw in 0-9, !@#$%*()-_=+/?{}\| and so on? If you can get 64 symbols in your alphabet and you have an eight-character password, that's 64^8 = 281 474 977 000 000 possible combinations. Just make sure you choose a random one, rather than just 'password'.

Don't re-use important passwords

You know how I said some systems have methods to prevent or slow automated attacks? Well, some don't, and if I can guess your password for one system, that will also be my first guess for your accounts on other systems. (Even if your password is practically guessable, I remember once accidentally stumbling across the file where the then-largest Duke Nukem 3D site stored all the passwords for its forums in plaintext. Yeah, that's right: publicly accessible and unencrypted.) Or maybe I'll just make a website that looks legitimate, but is secretly a way for me to acquire your email address and password when you register. If you register with the same password you used on your email account, I've got you.

I forgot my password because I followed your stupid advise. :-(

Yeah, sorry about that. This used to be a huge no-no, but I actually recommend writing down your password. NOT on a sticky note on your computer monitor, but in a secure location. This isn't so you don't have to remember it, but just in case you forget. Maybe somewhere safe at home, maybe in a piece of paper in your pocket* (perhaps not paired up with the text 'This is my password for ____:'. If I steal your piece of paper reading 'aKK#0^V' I won't be able to do much with it without further information. You know what it means; other people don't.)

I like to encrypt my passwords using GPG and just memorise my GPG passphrase. Optimally, I'd have a system that allowed me to easily derive my password based on site name, username, or whatnot. (e.g., the md5('everything2' . my secret universal password). There are programs and websites to do this for you, but what I really want is one I can easily perform in my head. Secure hashes, sadly, tend to be complicated.

I'll leave you with a joke actual quotation from a password guessing FAQ:

What about login password in Windows 95?
Have you tried to press "Cancel"?

* I sure hope your pocket is fairly secure. it probably contains credit cards, cash, and the keys to both your car and the house in which your family sleeps.

Log in or registerto write something here or to contact authors.