Hi, I had a question about passwords. If I use a password like 12345 for my sites, does that mean someone could guess it? I'm not sure what a good password would be. Something that people couldn't guess is what I mean.

How about something like 5Tk%geE23*^d

Pretty damn sure no one would guess that. Seriously, use both upper and lower case letters, numbers, and special characters. It makes them really hard to guess. Essentially impossible.

here's a couple simple tips for increasing the strength of passwords:

1. pick a word that's easy to remember, then use numeric substitutions for letters, such as:

A 4
B
C
D
E 3
F
G
H
I 1
J
C
L
M
N
O 0
P
Q
R
S 5
T
U
V
W
X
Y
Z 2


for example:

password -> p455w0rd


2. also add non-alphnumeric chars, for example:


p455w0rd -> p455;w0rd


3. for even better security use both upper and lower case letters:

p455w0rd -> P455;w0rD

Caveat: I'm not a security expert. This is just a bunch of info I've gathered over the years.

People write software for cracking passwords. They do dictionary lookups, number sequences, name mangling, etc. Your 5 digit password would be guessed relatively quickly by a program that goes through all possible numbers. Worse than that, the digits being ordered makes it an obvious thing to try on its own. And if you use it in multiple places, one crack gives access to many things.

Some general advice is to use words words with imbedded capital letters, punctuation and numbers in order to foil dictionary attacks and attacks on obvious combos. The longer the password the better, e.g. longer than 6-8 letters is a start. The other thing is to not use the same password in multiple places. If a particular site has its database hacked and someone has your password he can use it everywhere it's valid. You just have to think about the worst case scenarios.

If you're a Firefox user and you want to try a tool that helps with the issue of not repeating passwords, you can try my Password Hasher. Note that you should still use a strong password for the master key or you haven't gained much security. Try to read the FAQ and other documentation before using.

In general, security's more of a pain than we want it to be. Staying secure requires thought and effort. Wish it weren't so, but it is.

On another password related issue, one thing I think is dumber than hell is when they force you to change your password often. I think it makes people more likely to write their passwords down somewhere handy like a sticky under the keyboard or blotter. Or there's more calls to the admin for password resets.

I think this throws a lot more risk into the mix than if someone has one well-memorized strong password that they use for years.

I could see changing it once a year or so, but not more often than that. I agree with you.

I can't wait for good biometric security, e.g. retina scan or fingerprint, to be pervasive, assuming they can adequately protect privacy.

At a large (3 letter) company I worked for we had to change passwords frequently. Passwords were checked for quality (not easy to remember/guess). And they didn't allow you to make your new ones at all similar to the old. Of course if anybody outside the company had broken in and stolen all our source code it would have set them back 5 years. We didn't have access to actual important stuff, like financials.

For many years I've used this Password Generator. It will generate a random string of numbers and letters, with options to include uppercase, punctuation & other characters, and some other stuff.

For instance, a 64 character password:
!Ecus=Udapra=A$-*ReSp_sPEWEWE?rUpa*adre+ede#tecrewEfr@FrEswupRu=

I can use my built-in pass generator :D

the 64 is the number of characters you want.

EDIT: If you don't want any punctuation characters in the password and only alphanumeric characters use the following instead:

Something I like to do, is thinking of a sentence like: a secure password would be a nice thing to have. Then just take the first (or second, whatever you like) letter of each word, and the password will be: Aspwbantth.
As far as I know this is neither easy to remember nor that easy to forget, as long as you remember your sentence! And if you have a number in it, or make it so that it requires colons and such, it is even more secure.

Check this:
Hellkeepa's Home Page - Ultra-1337 Translator

Cool, thanks for the tips!!!

a simple and dirty way would be to just thke the md5sum of some random, usergenerated file (a text document you made for school).

would be hard to guess, and then add some random special caracter in there, just because

Use sentence in exotic language. For example "watashiwatensaida", it means "I'm so genius" in Japanese. You can remember easily those sentences, but it is hard to memory unless they don't understand what it means.

I have read these recommendations somewhere:

1. At least eight chararters long.
2. Use both upper and lower case letters.
3. Use at least one numeric character.
4. Use at least one special character.

Personally I don't tend to worry about password strength very much - my passwords are strong enough for me to be comfortable with. For most sites (forums etc.) I use one of my 4 usual passwords. I think that if someone got a hold of one and tried to impersonate me or screw with my user account the damage would be easily reparable as forum members and staff would recognize that it isn't really me (based on rhetorical style and such things). Also I could in most cases contact an admin and explain the situation. For sites such at this one where I am new and no one really knows me yet this wouldn't work, but still it wouldn't be a big deal to me as I would simply register another account and use that one from then on. I'd probably also drop a PM to a staff member explaining the situation. In either case any harm done would be superficial.
For sites such as e-mail, banking/financial things, pay services such as my cable TV provider site, I use a unique password that is only for that site. For sites on which I have been granted some special security clearance (such as where I am an admin or something) I also use a unique password and I change it quite frequently as an added measure simply because there are other peoples assets on the line and I would feel horrible if those were compromised due to someone else logging in as me. Also with those sites I might increase the strength of the password beyond the the level I am usually satisfied with.