Password best practices

  • Use passwords that are not composed of common words or names. Dictionary attacks use dictionaries with millions of words and are very quick.

  • Use long passwords. I tend to use passphrases. I pick a phrase, sentence or rhyme and find some way to use a fair number of non alpha-numeric characters so that my words are not dictionary words.

  • Do not use the same password for multiple login services. Take some time to come up with a formula for picking passphrases. This allows you to use many different passwords that, if forgotten, you may be able to recreate with some trial and error.

  • If you have to, by all means write a good, long, secure password down and hide it somewhere. That at least is better than using a weak password that is easier to remember.

  • If the above suggestions prove unmanageable, use a password manager with a long secure password and then use random character passwords for everything else. Carry the password manager around with you on an encrypted USB flash drive (backed up of course).


I have found several problems with passphrases:

  • Many sites have upper limit to password length - like 20 chars - it's silly, but what can you do.
  • Other sites don't allow spaces in passwords.
  • Typing long texts blindly is error-prone - especially when you're not good touch-typist.
  • Typing 50-char passphrase takes quite a bit longer than good 15-char password.

My solution for this problem has been to use passphrases as a mnemonic to the actual password. For example I could pick a few lines of great poem from William Henry Davies (76 chars):

No time to see, when woods we pass,
Where squirrels hide their nuts in grass.

And I would pick the first letters of each word, creating the following pretty good 16-char password:

Nttswwwp,Wshtnig

Using poetry is especially good, because it's easier to remember and when you are asked to change the password, you can just pick next few lines of a poem.


When dictating a password regime to others, don't only require that they use unique, longer than a threshold, contain mixed case, special characters etc.. but also educate the user about password managers or schemes to construct/remember those passwords... if you don't, the users will write the passwords down or find other, insecure ways to "remember" them.