Effective passwords

Time to read: 10 mins

A strong password is an effective password. But what makes a password strong?

The short answer is a password that is

  • Long
  • Hard to guess
  • Hard to crack
  • Uniquely used

But also

  • Easy to remember
  • Easy to enter correctly

(If you don’t want the explanation, just the tips, click here)

If your password isn’t easy to remember, you will write it down. And even if it isn’t on a Post-It note on the side of your monitor or under your keyboard, in a memo on your smartphone, or on the back page of your moleskin notebook, having your password written down significantly weakens its value.

Most passwords are entered into systems in an obscured form, the major exception being mobile devices that allow you to see the last character entered. Even if a password is easy to remember, if it is made up of unusual key combinations, errors will easily occur. Ensure your password is easy to enter on all devices.

Keeping these two requirements in mind, let’s look at each of these strong password attributes.

Uniquely used

The number one issue with passwords is that you reuse them. The majority of people use the same password on all online sites.

This certainly meets the requirement of ‘easy to remember.’ But it also creates the greatest risk. If a bad guy gets your password from one site, they then try that password on other sites with your username and/or email address. This can be done quickly and automatically with software easily available online.

Of course having a unique password for each site quickly fails the ‘Easy To Remember’ test.

Like it or not, you need multiple passwords, and each of them needs to be strong. There are a small number of goodstrategies to managing all these passwords, and lots of bad ones. The good ones are:

  • Using a Secure Password Repository
  • Password Tiers
  • Password Sequences

A Secure Software Repository is typically an app that runs on your smartphone (and possibly also on your PC) that stores your password list in a strong encrypted format. The use of these apps is discussed further below, but it is a good idea to have one.

The idea of Password Tiers is that you have a small number of passwords, selected based on the risk of compromise.

Tier 1 Most Secure. Individual strong passwords for each Bank/Financial institution site, social media site, public email account (e.g. Gmail)

Tier 2 Medium Security. One strong password for use with other commonly used, important sites that are not Tier 1

Tier 3 Normal Security. A common medium/strong password used on all other sites

Password Sequences are distinct passwords, related by a pattern or sequence. ‘Password01,’ ‘Password02,’ and ‘Password03’ are a simple password sequence. By having a complex password base (as below), with some sequence as suffix or prefix, you can create a set of strong passwords that are still able to be remembered. The caution here is to ensure the sequence is not obvious. If one password is guessed or cracked, the other passwords should not be able to be easily derived.

Combining two or all of these methods, e.g., Password Tiers with a Password Sequence, results in a strong set of passwords, easily remembered and entered, that reduces your exposure from the disclosure of a password.


The next biggest password issue is password length. The average password length today is 8 characters. This is totally inadequate.

A complex password with 12 or more characters is the minimum you should be using online, and even this is considered of medium strength.

You should be using a unique, non-dictionary password of 16 or more characters for your Windows login, social media accounts, and banking/financial sites.


Complex passwords are those that make full use of the character set on a standard keyboard. Characters like {, |, \ and > make passwords harder to guess and (to some extent) crack.

Simple letter substitution (e.g., @ for A, 1 for i) no longer qualify as complex. These characters can still be used, but not solely as substitutes.

The most underused character in passwords is the SPACE, but not all password systems allow spaces.

In most situations, you can’t guarantee the availability special characters on all keyboards, so be wary about using them.

A 16+ character non-dictionary password is far superior to a 12 character complex password. An 8-character complex password is pretty much useless.

Hard to crack

Cracking is where the password is determined through repeated attempts. These attempts can be through brute force (trying every combination) or a dictionary. A dictionary is a list of commonly used passwords, words, phrases, and numbers.

The most common cracking situation is where the password file on one of the sites you use is stolen. The bad guy then extracts the passwords from that file. They now have your username and password, which they will try and use to gain access to other sites and systems.

The key to being hard to crack is using a long (16+ character), non-dictionary password.

Hard to guess

Password guessing is not the most significant risk you face online, but remains a factor about which you need to be vigilant. The reason I continue to advocate for the use of complex passwords is they make it harder for someone to guess your password even if they have a lot of information about you, and also makes it harder for someone to watch you enter your password (‘shoulder surfing’) and remember what you typed.

The ‘Easy To Guess’ passwords are also the first ones used by someone trying to crack your password (see below).

Don’t use:

  • Password, Password, p@ssw0rd, or pretty much any variation based on the word ‘password.’
  • Incorrect, letmein, iloveyou (or variations)
  • Personal information like your name, or names of family members, mother’s maiden name, employer, pets, friends, former lovers, movie stars, famous people, or brands
  • Your street name, suburb, or city, phone number, postal code, credit card PIN, passport number
  • Favourite book, movie, game, or character
  • Favourite holiday destination, sports team, car make and model, the name of your boat, the bourbon you drink, or the school you went to
  • Something related to the site you are creating the password for: domain name, company name, tagline, IP address, area code, or phone number.
  • Repetition, like 1111111, zzzzzzzzz, or zzzzzzzzz1111111
  • Patterns, like 12345, 14789, QWERTY. Capitalising only the first letter of the password is a common pattern, as is ending in a full stop.

Strong password guide

  • 16 or more characters
  • Spaces, if permitted
  • Random Capitalisation, wHIchcANsTillbeMemOrabLE
  • Concatenated, unrelated words, CanSeemRandomTheyDo
  • Concatenated words and numbers, 45QueenStLevel09
  • Non-alphanumeric characters, but not as substitutes. Add them between parts of the password, can#Also!Seem”Random.
  • Uncommon or misspelt words, rambunctiousnesses, accommoddation, stooplesrudeway
  • Non-English languages, kupuwhakatahaTahi, HaoJiuBuJiang
  • Mneumonics of a pass phrase, ‘There is a house in New Orleans they call the Rising Sun’ becomes ‘tiahinotctrc’ or even ‘TiahiNOtctRS’
  • Combinations of the above

These passwords are generally easier to remember that a totally random ‘:h!l3`iv:(_oNqDR’

How often should I change my password?

The password fatigue argument…

There is some debate on this. Requiring users to frequently change passwords can drive people from your website, and undermines usability. Frequent password changes apparently gives rise to ‘Password Fatigue,’ and as a result people start writing their passwords down, weaken their passwords, or otherwise game the password system. There are some that argue once you have a strong password, you only need to change it if compromised. Personally I don’t agree. How would you know you’ve been compromised?

If you use weak passwords, changing them will bring minimal benefit as they can be quickly guessed or cracked. This is also the case if you use a simple sequence.

If you use a password common across multiple sites, and you believe any of those sites has been compromised, or that password has been compromised, change it immediately (and yes, update every site that has that password).

For passwords under 16 characters, even if complex, I still recommend changing the password roughly every three months. Set aside some dedicated time to do this it will be time consuming.

Personally, I change all of my passwords each quarter, except those with strong Two Factor Authentication (another topic for another day).

Should I use a strong password repository app?

In one form or another, yes, a secure password repository is a good idea. It is certainly better than writing passwords down in an unsecured form.

There is a major BUT here. If you are going to entrust your critical passwords to an app, you need to be sure you can trust it. For instance, how are the passwords stored (i.e., basis of encryption), and where? Who can access them?

Downloading a free app isn’t high on my list of smart password management approaches. Having said that, paying for an app is no guarantee of security either. It is almost impossible to ensure the security engineering claims made by software vendors are true. While I believe there are probably some great products out there, I cannot endorse any of them. I have tried a few, and for me, none were as easy to use as my approach.

I use an encrypted Google Doc. The repository doesn’t need to be an app, it just needs to be secure. In my Google Doc, I list all sites I use with a password (which makes the quarterly updating a lot easier). I use a three-tier password model built around three different password sequences. I change the password sequences every two years.

I never access the file from a public or shared device, and flush my temporary files regularly.

Then, when I record the username and password used on a site in this file, I use a personal code. Personal codes mean something to me, but would be hard for someone else to guess. But not impossible.

I use a Google Doc so I can access the file from multiple devices. I have a backup of the Doc file offline, also uniquely encrypted. The file is encrypted with a unique, strong 22-character password. I have to remember that one.

I also use a unique strong password for each Windows system I access, which I change regularly.

Is this overkill? Probably. Do I have password fatigue? No I keep the greater benefit in mind. Do I feel absolutely safe? Not at all. But I feel safer than most.

And I just changed my 22-character password. And it is no longer 22 characters.

Where is the weakest link?

We are the weakest link. Our ability to be manipulated into clicking on an unsafe link, download something we shouldn’t, go to untrustworthy sites exposes us to myriad of ways to have our passwords stolen (amongst other security hazards). A site that masquerades as our bank or favourite e-commerce store; the app we downloaded to store our passwords; the spyware hidden in a free game; the dating site that promises to keep our passwords secure when their sole purpose is to mine them.

Other than our own shortcomings, the single biggest weak link in all of this are systems and site administrators the people running the systems we are accessing. The very people we expect to trust.

System administrators have the access rights to copy the password file. Once this file is copied, they can reverse-engineer the passwords at their leisure. This is a significant risk, and is essentially unavoidable. Outside of highly regulated industries like Banking and Healthcare, there are few effective controls available. Keep in mind that most security controls are managed by those same site and systems administrators.

Of all the modern systems, the most prevalent password exposure is Windows and Active Directory. The Active Directory password file is accessible by any admin-level account, and the passwords stored with two of the least secure encryption systems. Cracking the Windows password files doesn’t require any specialist security skills the tools are available online.

DISCLAIMER No liability is assumed by Baker Tilly Staples Rodway for any losses suffered by any person relying directly or indirectly upon any article within this website. It is recommended that you consult your advisor before acting on this information.

Sign up to our newsletter

Thanks for signing up!

Tags IT Auckland