Creating and Using a Strong Password

Here are some guidelines for creating a bulletproof password.

  • Longer is Better – almost all password cracking is done by a group of machines that is simply trying all possible combinations.  A three character password can be cracked in seconds, but a 14 character password takes longer, like 2,000 millennia.
  • No More Words – using words that can be found in the dictionary, or the names of you spouse, kids, street, computer monitor, or whatever just makes the cracking process simpler.  Plus these sorts of passwords can be guessed by reviewing publicly available information about you that is on the web.
  • Use a Passphrase – Graham Cluely from Sophos has a short video that describes this technique.  Take 3 minutes, click the link, and watch how he does it.  By the way, his example is now a BAD PASSWORD because it has been published online, and now will be included in automated password cracking tools.
  • Unique Password for Everything – My earlier blog about how journalist Mat Honan’s online life was destroyed by hackers who figured out one password and used it to access other accounts that shared the same password should be enough to convince anyone of the wisdom here.  The problem is remembering all these passwords.  My technique is to combine a long, 8-10 character base password with a 2-3 character site specific passcode.  This gets you a ten to 13 character password that should be tough to crack, and really hard to reuse on other sites or online accounts.  Another way to accomplish this is to use a software password manager like KeePass.  KeePass has the added benefit of being a free open-source product.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.