GeodSoft logo   GeodSoft

Good and Bad Passwords How-To

Creating Uncrackable Passwords
That Do Not Need to be Written Down

Off and on for years I've thought about how to create an uncrackable password. To save you time, before getting to any technical specifics, I believe I can tell you how to do what the page title says, but there is a cost. If you follow my advice, you will be typing 18 to 22 characters everytime you enter a password, and I'm going to advise you not to use any password safe. It is likely 15 to 19 character passwords will do, but I think these are more likely to have a flaw that makes them crackable. The passwords I recommend will not be untypeabe random sequences, but they will contain a minimum of two symbols or punctuation marks, a digit and a mixed case character. This approach does not require the use of a password generator though it may use one. If you are unwilling to type such passwords, there is little point in reading further, unless you think you can find a flaw in my approach. If you do find a flaw, I'd be glad to hear about it, and would be willing to publish your comments (except for the obvious flaw that most users, including those who know better are lazy, and unlikely to go to this effort to protect their accounts.)

Actually creating uncrackable passwords is not difficult. Any password generator, including mine, that will give you a string, 18 characters or longer, made randomly from the full 95 typeable character set, will give you more than you could use. The problem is, can you use even one such password? I would say no. Even if you could somehow remember it, or if you wrote it down, you would need to be a very good typist to be able to type it without a mistake when you cannot see what you have typed. Random character sequences contain none of the character patterns that make it easy to type words and sentences. With such passwords you have to actively think, where on the keyboard each character you want is located. If you have several or many passwords, and who does not today, you must write these random passwords down, or use some form of password safe.

I thought of this method while modifying my generator to create long passwords in ways that I had always avoided in the past. My method is to use a common part, which I call a core password which will be part of most passwords you create for the next two to four or so years. This will be a "conventional" strong password between 10 and 14 characters. It will contain two or three puncutation marks or symbols, at least one digit and at least one letter whose case does not match the other letters. The atypical case letter and digit must not begin or end the core password. The core password may contain one or two words, but neither must be equal to or longer than two thirds of the total length. An 8 character word is OK in a 13 or 14 character password, but not in a 12 character password. Two shorter words may be better.

Some readers are probably muttering, this sounds just like the advice we have been hearing for years about good passwords, and they are all hard to remember. It sounds like that adive for good reason, it is that advice. If you've been paying attention though you know something very important is different. The common advice also says to use a different password on every account. That makes strong passwords hard to remember. I'm saying you are going to use your strong core password on every almost every account you have, from your home PC, to your browser master password, your work passwords, your bank and credit card passwords, and most other passwords that you have.

You may choose to make exceptions which could include any throwawy, or insensitive accounts that you have on the web. A few web sites don't even hash your password. Any web site that can email back your password when you forget it does not hash your passwords and you SHOULD NOT TO USE YOUR CORE PASSWORD on any such site. You also do not want to provide any sensitive information to such sites. If you are a computer or network administrator for work or for a volunteer organiation, and you share one or more admin or root password with others, you should NOT use your core password those accounts.

You should NOT use your core password anywhere where it may be exposed to others without it being cracked by conventional cracking methods. Since your new passwords are supposed to be uncrackable, no one else will ever see them if you only use them where they can only be seen if they are cracked.

Password Safes

On the other hand you want to use it on all your important and sensitive accounts. You want to use it on these for security, and you want to use it frequently so it becomes second nature to include it in a a password and so you will never forget it, especially since you have never written it any where or entered it into any password safe which may be accessed and stollen by crackers.

I know that password safes have become very popular. They are unquestionably very convenient, and today anything that is convenient tends to become popular. NO ONE has yet convinced me they are actually safe. The entire concept of a password safe requires you to put all of you passwords in one place where they may be accessible to a network cracker. Are more homes and businesses broken into physically than networked computers compromised? I have no doubt that over time hundreds of millions of networked computers have been compromised, and that tens of millions are actively compromised right now. Does anyone believe that there are tens of millions of burglers in homes and businesses all around the world at this moment? Once a computer, especially one in a home, is compromised, it is rare that the owner finds the problem. It's normally found when someone else complains to an ISP or the owner about spam, port scans, virus infected emails or other malicious activity coming from that computer. Even most businesses with full time security staff are not aware when they are compromised; most businesses are alerted to a compromise by a third party such as a law enforcement agency or a security auditing team.

Historically application passwords are much weaker than most operating system passwords. Password safes are by definition applications. The may be infrastructure applications but they are still applications. Some may call them utilities; that's a fine distinction. The point is they are normally developed by a small group and often just one developer. Small groups and individuals tend to have blind spots about potential weaknesses in their products. Operating systems are generally developed by larger groups. More people see the code. More people are involved in testing and often start with different assumptions than the software author. More people use operating systems so they quickly get a lot of real world testsing as soon as they are released. Bugs are reported more quickly and widely, and are fixed more quickly (if serious) because they affect more people.

The large majority of password safes are proprietary and this includes freeware safes. Nobody but the author knows how the passwords are hashed. No doubt all password safe authors honestly believe their products are safe. That does not mean they are. When only one or a few people can test a product with knowledge of the source code, no one can be sure it was thoroughly tested. The code for open source products can be read by anyone. One popular open source password safe actively uses this claim in its promotion of its product. Unfortunately, even when such a group claims to use an industry standard hashing method, there is no guarantee that it has been properly implemented. Improper implementations of a sound algorithms are just as likely to cause a security weakness as a flawed algorithm.

Unless the ANYONE reading password safe source code is both a cryptographic expert and an expert in the language that was used to program the password safe, reading the source code is meaningless. Unless you can say that you are a cryptographic expert, and an expert in the language that your password safe is written in, and that you have performed a systematic code audit of the source code for your password safe, YOU DO NO KNOW THAT YOUR PASSWORD SAFE IS SAFE. It's just that simple.

There is only one group that I know of that routinely uses formal code reviews as part of their testing and evaluation process. I would not be surprised if there are tens of thousands of computer software companies that claim to do this world wide. But like all proprietary processes, if you want to know details, what will they tell you?

The group I'm referring to is the OpenBSD project ( This is a group that since its inception has put reliablity and security ahead of usability, features and convenience. OpenBSD is widely regarded as the most secure general purpose operating system and has been for well over a decaded. When they talk about their code reviews, they tell you how many bugs were found that had not been found by other testing and evaluation methods. Not surprisingly it takes some research to make effective use of their products. Despite their unquestioned ability and excellent record, even the OpenBSD group makes some mistakes.

Today the Blowfish algorithm for hashing passwords, developed by the OpenBSD group, is widely regarded as the most secure password hashing method available. But that was not true when it was first released. Despite all their expertise and formal code review, the first Blowfish algorithm was released with a flaw. I don't know how serious it was, but someone outside the group found it, and a new version of Blowfish was released that corrected the flaw. If the very best in the business can make a mistake in their area of expertise, it is NAIVE to believe the claims of the authors of your password safe.

One more point on password safes. Operating system bugs are reported relatively quickly because so many people use them. The same is true of widely used applications like Word and Excel. On the other hand, most password safes, even the most popular, represent comparatively small numbers and there is little reason to think most users will ever notice any flaw which relates to the master password hashing algorithm.

On the other side, cracking groups who are most likely to find such flaws, have every incentive to stay quiet about such flaws when they find them. The longer a cracker knows about a password safe flaw that is not reported, the longer he has easy access to a significant number of passwords. A conventional hacker may tell friends about such a flaw, and over time this will spread. Sooner or later someone in the mainstream security community will hear of it and make it public. If a criminal group finds such a flaw, they will never reveal it to anyone outside their group. This gives the criminals almost complete access to everything valuable and sensitive online belonging to any victim who uses a password safe with a known flaw when the criminals compromise a computer belonging to someone who uses that password safe.

Please remember that security is just as much about ensuring that you have reliable and timely access to your own data as it is about keeping intruders out. A lost password on an important account can be every bit as serious as a system compromise. The people most likely to lose an important password are also those least likely to know how to recover a system with a lost password. Often in discussions of security, no one bothers to mention backups. Any discussion of security that does not start with timely tested backups is meaningless.

Password Reuse

I thought of the idea of core passwords when I was experimenting with the just created option to enter literal strings into a generatated password using the backslash character. A long password does not have to follow most of the advice given for ordinary short passwords, and has room for things that short passwords does not. I was entering "+my1+Whatever" (which is already 13 characters), using the backslash, into the pattern field. I was clearly thinking about using a common string plus random words, character paterns, sequences, repeats, etc. which were also defined, in multiple passwords. As I experimented with this, I realized it was the answer (or at least an answer) to remembering strong passwords without writing them down. Use the same one everywhere or at least very frequently.

There are very good reasons why the standard advice is to not reuse passwords for multiple accounts (or websites or whatever you call the places that require a username and password). But the answer was right in front of me. Combine a widely used, strong core password, with other things, perhaps generated by a password generator. It does not really matter how the rest of the password is created, as long as it has no apparent relationship with the strings used at other sites or on other accounts.

I believe the parts added to the core password should accomplish the following: 1) they should assure that every password used on a different account or at a different location is unique; 2) they should add enough length to insure the entire password is a minimum of 15 characters and preferably 18 characters (additional length in a password never hurts); 3) if the written list of passwords is lost or seen by someone else, it should look like a plausible list of passwords, 4) besides merely adding length, the unique part should add some strength by containing at least two character types and it should not be an entirely trivial single alpha, numeric, or keyboard sequence, especially not one that begins with abc, 123, or qwe, or any single character repeated 4 to 8 times, even at both ends of the core password.

Regarding 3 in the previous paragraph, it's not at all hard to make a list of several characters each look like a full password list. Many, possibly most passwords are as short as the system they are used on will allow. In practice the overwhelming majority of known cracked passwords are between 5 and 8 characters.

Regarding 4 above, I really have no idea what is easy for other people to remember and type, which is part of the the reason I've provided so many options in my password generator. While I'm a firm beliver in strong passwords, there are many ways these can be achieved, and sites should not be blind to the fact that if you make an all lowercase password long enough, an all lower case password can always be stronger than one with all four main character types.

A 12 character lower case password is stronger than an 8 character password with all 4 character types. As length increases the lower case password has to grow faster; keeping a 4 character lead is not nearly good enough. For each extra 4 characters from the full keyboard, the lower case password needs to add about an extra 1.5 characters. So when the full keyboard password reaches 16 characters, the lower case password needs to be 23 characters, rather than only 20, to be stronger.

The Unique Parts, Part 1

What's enough for the unique parts? There is no simple answer. I'm trying to build something that has a huge margin for error, so if my calcualations and understandings are correct, it won't just be good 5 years from now but will be strong for the entire foreseeable future. I'm trying to cover huge miscalculations in cracking times. I'm allowing for the pathetic password storage used by Windows where if you crack a password for any Windows computer, you've cracked that same password for all Windows computers. I'm trying to allow for poor hashing algorithms that have effecient alternernative implementations that may speed cracking up a thousand to a million times. I'm trying to allow for unexpected technological advances in cracking techniques and for a user who thinks he or she has a strong core when it is really pretty obvious and easily guessed.

If you look at my cracking time table, in particular the network section, a strong 12 character password should be safe against a network 10 times as fast as that shown. How do you implement the core password idea in 12 character passwords and come up with strong passwords? I don' think you can. As I said before, maybe 15 but I think this is close. At today's times even a cracking network should take something like 50 trillion millenia to crack a strong 18 character password. Assuming Moore's law holds for another two decades and computer speeds increase by 10,000 times, that same 18 character password should still be good for 5 billion millenia.

The Core Password, Part 1

However you create your core password, you should NEVER use it in this site's password generator or password evaluator. You may get your core password from this generator and test it in the evaluator, or you may get a suggestion for it and test that suggestion, but make changes to it before actually using it. You will never reuse the core on this site, whatever, if any relationship it may have to this site. You should probably use NOT use it on any site except one where you are logging in with that password and the login page is SSL encrypted.

If we assume for the moment my core password is "+my1+Whatever+", I should enter something like "\*\t\o\5\*\P\a\s\s\w\o\r\d\*" (*to*Password*). The two are structurally identical. Both have a password constant symbol in the same 3 locations. Both have a digit in the same place. Both have a capital in the same place. Neither the digit or capital are in the first or last place. Either could begin or end another password and neither the capital or digit would be the first or last character in the resulting password. Both have 2 and 8 character words in the same locations.

The Unique Parts, Part 2

So what do I recomend for the unique parts? Pretty much anything that is in the range of 6 to 8 characters that is not trivial or obvious. I'll start with my old favorite, the State Departments cvc (consonant, vowel, consonant) and add a digit, but I'll use a new option that lets me duplicate this and put the core in the middle. The pattern that does this is
{(cvCd)2(\*\t\o\5\*\P\a\s\s\w\o\r\d\*)1}. I made the second consonant optionally upper case. Remember we're pretending my real core is "+my1+Whatevver+" so a structural equivalent is used but all the details are different. This lets generated passwords be tested in the evaluator, as well as showing us how the the unique pieces relate to the core.

In this example the curly braces (" { } ") are a new option. Among other things they allow the definintion of a repeat pattern within a pattern, which may include another element, which appears once, before, between or after any repetion. Inside the curly braces, a pair of parenthesis define the structure of the repeated pattern. Inside the parenthesis are standard pattern control characters that work just as they would in any pattern if not enclosed by either the curly braces or parenthesis.

The pattern could be as simple as any two lower case letters, "(ll"), or any two possibly mixed or upper case letters, "(LL)". An "(ln)" would be alternating leter and non letter and "(Mt)" would be a possibly upper case alpha numeric character alternating with a puctuation mark or symbol.

Longer patterns can be used in the parenthesis. The digit after the close paren indicates how many times the pattern repeats. This can be from 2 to 9. In this case, unlike most patterns defined outside of curly braces, the actual characters substituted for the control characters are saved and reused.

The optional second set of parenthesis define a second pattern that will be used only once. Here the digit after the close paren indicates which repetion of the first pattern, the second will follow. In this example, there are only two so it can go in the middle (after the first (1)) or at the end (after the second (2)). A 0 will place the second pattern before the first occurance of the first pattern.

A more conventional and secure way to do something similar would be cvCd\*\t\o\5\*\P\a\s\s\w\o\r\d\*cvCd. This is a very conventional variation on the basic State Department pattern cvcddcvc, using the first half twice with an optionaly upper case second consonant.

The difference between this and the previous pattern, is that the two ends are now processed independently, creating nearly 3 million variations instead of less than 55,000. The result gets exactly the same length and strenght rating as the previous pattern. It's the same length and has the same degree of character diversity. Unless the cracker has specific knowlege that a pattern is being repeated at the ends, it's not likely to be cracked any more easily than the more complex one.

On the other hand, there is clearly more complexity and variety in the second pattern. If there is any flaw in the whole, I believe the extra diversity in it, may save the second in a situation where the first may be discoverd.

The Core Password, Part 2

Both my hypothetical core password and its substitute are strong 14 character passwords just by themselves. Some reader is probably getting agitated and thinking, but there is an 8 character dictionary word in each. It does not matter. Even if used as a complete password, the 8 character word is less than two thirds of the total length. I know of no password cracking rule set that can find the 8 character word. Remember (except for old Windows LM hashes) passwords are never broken in pieces. A cracker must have the entire string that matches every single character before starting the computations that create the hash that will be compared to the hash in the password file.

If you adopt this approach, you will have a secret part that is a good password by itself, and that you will use as part of most passwords you create for the next two to four years. You've decided you are going to do passwords properly from now on. You want passwords no one, not even the NSA can crack. You want passwords that the fastest cracking networks yet assembled will take hundreds of thousands of years or much longer to crack. You want to be part of that select few percent who have never seen one of their passwords in any common password list and who have never had an account of theirs cracked.

You start with a core of 10 to 14 characters that is a strong password by itself. It may have two words, three symbols and a digit. It will have at least one capital (or lower case if the others are upper case). Neither the digit or capital should be at either end of the core password. Instead of you favorite separator, you should consider any easy to type symbol, and use it on both ends, so you have two symbols in your password. Maybe you will use your favorite separator to separate the two words, or you might run them together or the digit(s) my separate them.

If you have only one digit in your core password, it will NOT be a "1". The digit 1 accounts for more than 25% of all digits used in the top 10,000 passwords, and it accounts for 90% of the digits used by themselves in passwords. You may want to use a 3, 8, 9, or 0 which combined account for 2% of all single digits. The 5 and 6 each account for 1%, while the 7 accounts for 1.5%, the 4 for just over 2%, and the 2 for 4.5%.

In multi digit passwords 3, 4, 5, and 6 climb substantially because of the heavy use of passwords using numeric sequences starting with 123. 7, 0, 9, and 8 are the digits least frequently used in combination with other digits.

Some words that you should avoid in your core password are "password" which by itself is the top password in a variety of envioronments but primarily the Internet. In business envioronments 14 variations of password take most of the top 25 positions, followed by welcome, summer, 123456, and spring. More generally "qwerty" comes in number 5 with "123456", "12345678", "1234", and "12345" filling in the rest of the top 6, and "dragon", "pussy", "baseball" and "football" fill out the general top 10. Obviously different lists from different sources and times vary a good bit.

There are some other things to think about in our core passwords. If we care enough about passwords to go to the trouble this approch entails, it is very likely we will talk to others about the need for strong passwords. I think that many people who (if there are many people who adopt such a strategy), will feel compelled to talk about this approach to their friends and colleagues. This is NOT a bad idea. The state of passwords in general use is abysmal. People need to understand the dangers and how to make good passwords.

When discussing passwords, you want to avoid any specifics that may reveal your own password content. Keep the discussion of structure as general as you can. If you reveal that you use a core password, you should avoid any core passwords similar to "my secret", "my private", "my personal", "can't get this", "2 good to get", etc. The odds of anyone getting these, with all the surrounding letters are very small.

If you thought of something that actually describes your core password, is clever or boastfull, someone else just might guess it also. Don't take these chances. BOTH OF MY SAMPLE CORE PASSWORDS ARE POOR EXAMPLES OF CORE PASSWORDS. Some better ones might be ;petaL8&Stary;, .sU~0sprawleD., or =faN,7acidifY=, (not including the trailing commas).

While any words in your core password or complete passwords will be combined with multiple other elements, there is no point in using any of the most commonly used words in your passwords. Smart crackers will use many more and longer rule variations with these very common words, and there is no point to risk a freakishly unlikely rule mixing a common word in passwords and several other common elements catching your supposedly uncrackable password. Even with strong character variations there is no reason to abandon common sense in making our strong passwords. We are not trying to dare crackers to try our strong passwords or trying to see how close to bad we can get away with.

We are trying to make passwords that no one but ourselves will ever have a clue as to what they look like. The farther you can get from any of my positive suggestions without doing the dumb things I warn against, the better your password is likely to be. But you never give up character diversity unless you really provide the length to compensate for it.

Maybe you can keep straight passwords that are more than 25 lower case characters only, but I cannot. I need some kind of visual or phonetic clues to separate really long letter sequences. In other places I've suggested running together two short words to get more variety in short (8 - 10) character passwords which were once considered strong. To me there is a huge difference between keeping track of two 2 to 5 character words, and four or more words run together for 25 plus characters.

Writing Down the Unique Parts

Over time you will type this core password hundreds and maybe thousands of times. There is no need to write it down. It will be etched into your memory within a few weeks. You want the core password to work on either end of your passwords because you will be using it on both ends routinely.

If you've been using strong passwords for a long time and have lots of accounts, and you have used different passwords on different accounts, you know the question is not will you write your passwords down, but where can you write them securely? I'll leave you to answer where for yourselves based on your situation. In most workplace environments, I consider the inside of a purse or wallet to be reasonably secure. Few people leave these laying around unattended. You know your situation. Think about it.

Just because it is unsafe to write passwords on a postit on your monitor, or the closest desk drawer, does not mean all places are unsafe. One thing I know about any password only on a piece of paper, no network hacker can possibly access it, which is more than I can say for password safes. Most important, what you will be writing down now will be less than half of what is needed. That is, provided your core password is strong and does not try to say something clever or relate to you in any way someone might guess or figure out.

You won't write your core password down, but you will have to write down the unique parts. To your 10 to 14 character core you will be adding meaningless (in the sense that they have no special meaning or relationship to you) words, character sequences, repeats, and various odds and ends that add at least 4 and hopefully closer to 8 characters to your core password. You need to pick the unique parts on what you find relatively easy to remember and type. While you will be writing down the unique parts, for those passwords that you use daily to several times a week you should be able to remember these without looking them up.

Even though I'm offering many elements that have routinely been described as things to be avoided in a password in passwords, I'm also providing ways of mitigating weaknesses they may posses. By mixing element types, including words which greatly expand the options, using flips, making limited use of character subsets (which significantly alter the relationship of various sequence characters) it becomes very hard for the cracker to find ways to create similar strings that have a yeild worth the effort. Over time as computers get faster, disks grow in size, and cracking techniques evolve, larger portions of passwords made from non random cmponents will be cracked.

Lets look at a few examples. aBaBaB and aBaBaBaB are awful passwords. They may not be as bad as some of the most obvious pure repeats and simplest sequences but it is still very easy to program all corresponding passwords regardless of which to characters are used. There are only about nine thousand two character combinations so all 4, 6, 8, 10 and 12 character similar passwords would only be about 45,000 entries which is a small dictionary.

But what about aBaBa~97j;BaBaBaBaB ? You cannot get the aB's without getting the "~97j;" at the same time. There is a shifted rarely used symbol with a common unshifted punctuation from a different part of the keyboard. Two low frequency digits with no particular relationship and mixed in the non letters is a "j". The lower case "j" runs a close second to the "q" for the least frequently used lower case letter in the English language. How can you get these characters? The answer is you can't. For it's length it is clearly a "low entropy" password.

The only way to get it would be to do all 7.7 billion 5 character combos in all 15 positions of all 9025 character pairs. That's just over a 1000 trillion passwords for a very low yeild, and assumes the cracker somehow knows he's looking for a 19 character password, with 7 alternating characters, plus 5 odd ones mixed in somewhere. It's actually only a little over an hour on a fast network, but who wants to devote the equivalent of 10,000 fast desktops for an hour to get a password or or two, maybe.

When you start mixing in words, and various sequences, and repeats, with flips here and there, the numbers climb quickly. Just to store the 1000 trillion passwords to disk would take 20,000 terabytes, and that's with no indexes or or any database overhead to assist a quick lookup. While you can describe ways to build dictionaries that could generate the outputs which cover the kinds of passwords I've been creating, the yeilds would be abysmally low by most cracking standards, and with dictionaries too large to store to disk, to check for duplicates, there would be certainly be a lot of duplication of effort. Crackers are not likely to persue these avenues for a long time.

When you write down the unique part you will come up with some notation that indicates which end the core part goes on. It should be better than an arrow or other constant indicator that quickly becomes obvious, if anyone else happens to see or obtain your password list. I'd suggest any group of characters that you can easily relate to each other, and which consists of 5 to 10 or so character.

There are many groups to choose from. Some of the less obvious are vowels, upper or lower case or both. The first 6 consonants: b, c ,d, f, g, h. The three contiguous groups of five consonants, 1) j, k, l, m and n, 2) p, q, r, s and t and 3) v, w, x, y and z. Mixed case doubles the numbe for more variety.

Among symbols and puctuation the eight paired symbols seem fairly obvious: (), [], {}, and <>. They could be used to point at either end, but do not need to; this is the only group that has a really clear way to show the secret core embeded in the unique part: 34()5678.

Some puctuation marks have only one part: , . ' - ( ) and possibly ` and ~. Other punctuation marks and symbols have two clearly separate parts, ( ; : " ? ! = ). Some punctuation and symbols float above the baseline, ( ` ~ ^ * - = + ' " ). Some of the most common non punctuation symbols are located along the top of the keyboard: @ # $ % & * _ = +.

Any modest size group of characters, that you can easily relate to each other and remember, will do. Keyboard location can also be useful, ( ; : ' " , < . > / ?), are very close together as are many other combinations of characters.

You should have a consistent method of dealing with what to do when one of your group appears at the start, end, or in the middle of an element that may end, begin, or surround your core password. One of the advantages of haveing a small group is that you might just discard or not use any character group that ends with one of your direction indicators. Alternatively you might repeat the character or just add a different one from the group. It would be somewhat annoying at least, to forget a password you have written down, but can't remember because you cannot figure out where the core belongs relative to what is written.

What about the rest of your password? Is there anything you should or should not do with these. I think your written list should look pretty much like an ordinary list of passwords, with no duplicates, because if your written list has a duplicate it means you are using the same password at two locations.

Two of the most common psswords are 123446 and 12345678. Why would anyone need to write these down? Because they are so simple and meaningless it might be hard to remember what account or site they belong to. If they were written down as 012{}345, 23()4789, or 789ABc], someone who managed to see the list, would likely think he or she uses pretty simple passwords but is trying to make them better. Even with 123456[ few people would ever think that the symbols were indicators where an additional 10 to 14 characters might go.

On your password list you should be looking for passwords that while you may not remember an infrequently used one from week to week, once you've glanced at your list, you can quickly return it to its reasonably secure location. You do not want unique parts that are so difficult that you need to lay your password list in plain sight, in front of you, while you type in a password.

Account Names

Your written password list may contain exact site and full account name (my account names vary almost as much as my passwords and I have to write them down), or just a hint that is enough to tell you where the password is used.

On the subject of account names, I think of account names and passwords as two halves of a hole. Neither one alone has any value; it's only when two that match are used together does anyone get access to anything. Few websites or operating systems tell the user enough to know if they have a valid account name but the password is wrong. For this reason I mix my account names up quite a bit.

The most important differece from a securiy perspective is that account names are always stored in plaintext (at least in my experience) where passwords are normally stored as hashes (with some execeptions noted previously). Thus as soon as anyone has access to the system, all the account names are typically available.

When someone is trying to gain remote acess to a system by guessing accounts and passwords, you don't have to make have to make the first half easy. When you take your names and initials, chopped up various ways, and combine them with numerous ways your birthday and parts of it may be formated, and add your address, with perhaps some other information there are a very large number of account names you can come up with. I think it's been more than a decade since any system told me an account name I was trying to use was already in use.

On many websites and other Internet venues, many people use nicknames or handles that have no relationship to who they are. This is also fine as long as the system allows it. In many businesses, administrators assign the account names and email addresses, and for good reason they normally have a direct relationship to the individual users.

The Unique Parts, Part 3

I'll close with some more example of how you may create your unique parts, continuing to use the admittedly poor core password that's already been used.

<''4-6fm>\*\t\o\5\*\P\a\s\s\w\o\r\d\*d3 This one starts with a 4-6 character ASCII sequence (defined by the angle brackets (" < > ")) with a randomly selected start point (the empty apostrophe pair (" ' ' "). It has a flip denoted by the "f" which means if either or both ends of the sequence contain a letter, there is a 75% chance one end will be case flipped. The "m" denotes the ASCII sequence is limited to alphanumeric charaters. Few people know the ASCII symbol and punctuation sequence order while anyone can look at a keyboard and see the keyboard order for the same characters. The core password is followed by 1 to 3 digits. See the password generator instruction page for detailed instructions on creating control patterns. In this case the Sequences and Repeats section will be of particular interest.

[''3-5f]\*\t\o\5\*\P\a\s\s\w\o\r\d\*Cvc This one starts with a 3-5 character keyboard sequence (defined by the square brackets, (" [ ] ")), again with a randomly selected starting point, (" ' ' "), but because the the whole keyboard is visible, all characters are included. It also has a flip, ("f"). Because this is a keyboard sequence and every key has two characters, flips are not limited to letters. If the sequence begins or ends with letters, they will be flipped, if any character is. When no alpha character begins or ends a keyboard sequence, either end may be flipped to to the other character on the same key that began or ended the sequence. After the core password, this one ends with a consonant, vowel, consonant, and the first consonant may be upper case.

Perhaps the simplest variations on the core password is to use a single word with one additional charcter for more variety at either end.
Wd\*\t\o\5\*\P\a\s\s\w\o\r\d\* At the beginning with a digit
\*\t\o\5\*\P\a\s\s\w\o\r\d\*Wt At the end with a symbol or punctuation mark. In both cases a flip is use by using an upper case W for word 2 to 9 characters in length. A single digit would request a fixed length word and 4-7 a word from 4 to 7 characters in length. A simple "w" or "W" has the advantage of varying your password over a length range of 6 or 7 characters (2 character words are seen only very infrequently) making its total length very hard to guess, but try not to limit yourself to a single approach.

(''3f)\*\t\o\5\*\P\a\s\s\w\o\r\d\*(''3f) This one starts and ends with with a randomly selected 3 character repeat at both ends. Any of the 95 characters may be selected and both include a flip which will apply to letters only.

Please remember that the number of available repeats and sequences between 2 and 9 characters is smaller than any other kind of character group of similiar lengths. These were added because when combined with a few arbitrary characters in long passwords they are relatively safe. As they have been frequently used in common passwords, I assume many people find them easy to remember and or type. Flips help increase the diversity but only to a limited extent.

When using the core password approach you are already keeping most of your password constant. You should mix the use of repeats and sequences with other pattern types such as words, psuedo words, short to moderate length digit sequences, pronouncable bits (cvc), short random letter bits, and occaisional symbols among others. Look at the Pattern Samples page for many other examples which may be extracted from the mostly conventional short passwords shown there.


To try to sum this all up, even though each new password you create will have a common core password, the whole string which makes up the password should be unique. You should have no reason to think any human being, past or present, and definitely including yourself, has ever seen this particular string before.

Since May 25, 2012, when I recalcualted my Password Cracking Timetable I kenw I had to upgrade a number of my passwords. I was in no hurry because I knew even my oldest and weakest passwords are strong by most measurements, and none has ever been in any common password list. I had no idea what my new passwords would look like except they would be longer than I'd ever used before. I thought that as I revised my pages, and upgraded my Password Generator and Password Evaluator I would find some approach to making new longer passwords that I was comfortable with. Now, at the very end of June, with the core password concept, I believe I've found that method.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
How-To >
Good Passwords >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.