I’m sorry to be the bearer of bad news, but passwords like Sk@terboi94, and P@ssw0rd123! just aren’t going to cut it anymore. In fact, the majority of advice on creating secure passwords actually make us more vulnerable to hackers.

The most popularized advice by far is to strengthen passwords by using irregular capitalization, special characters, and at least one numeral. Most account creation pages even have these standards built into their requirements. But this advice has lead the majority of users into easy to predict practices. By adding chains of numbers to the end of your password or substituting letters with similar looking symbols and numbers, users produce passwords that are hard for humans to remember but easy for algorithms to predict. Even Bill Burr, the former National Institute of Standards and Technology manager and man responsible for popularizing this advice, now advises against these practices and regrets popularizing them.

But Burr’s advice came out in 2003 - centuries ago by computer standards. For the past few years online security agencies have been advising the use of chains of three unrelated words to create stronger passwords. This practice creates longer passwords which in theory means more possibilities for a computer to work through. However, even this strategy can produce relatively weak passwords by modern standards.

To see why, let’s look at the math:

• The 2003 Bill Burr advice offers us character set size, a-z (26), A-Z (26), 0-9 (10), to the power of the password length (8), (26+26+10)⁸, or 62⁸. Which works out to 218,340,105,584,896 character possibilities (assuming no optimizations and a trivial brute force approach).
• For the 3 random words strategy we take the typical English-speaking American’s lexicon (42,000 words) to the power of the number of words used (3) which gives us 42,000³. This works out to 74,088,000,000,000 tri-word possibilities. There are more characters, but because there are fewer word combination possibilities the strategy is roughly comparable in strength to the original advice. Accounting for substitutions and inflections this approach can actually be worse as there is much more room for optimizations.

In the end, neither of the most popular password generating strategies does a great job of making difficult to predict passwords.

BitFlip’s Advice

Don’t try to beat a computer’s computational ability with your own limited memory - instead use a password generator with a password manager. Look for a random password generator that generates at least 32 random alpha-numeric characters. BitFlip’s Managing Director shopped around the market before making his own, called StrongPassword. Best practices are to generate distinct passwords for all your accounts and store them in a password manager like 1Password. There are many other good password managers on the market, just don’t use one that stores your information in the cloud. The cloud is just a nice way of saying someone else’s server. And remember, passwords are the keys to your kingdom, if you don’t have strong, distinct, and hard to predict passwords, you don’t have security.