How to choose a good password?

Posted by Fred C (W6BSD) on Aug 27 2015

If re like me, you might find it difficult to come up with a new password every time a website or an app asks you to create an account or change your password. In this post, I'll explain what a bad password looks like and how to create a better one. I'll also describe a few tools that will make managing your passwords simpler. First, Let's go over how not to choose a password: just pick one from the following list of the 150 most used passwords. You can be sure that none of these are secure since hackers will try them.

150 most used passwords


What is a bad password?

A bad password is a password composed of a common word or words that can be found in any dictionary of your current language or any foreign language. If you're a fan of sports, "soccer", "Soccer", "soCCer" or "Socc3r", are all equally bad. People close to you can easily guess these passwords, so can people who view your social media posts. A dictionary attack will only take a few seconds to crack a password made up of any of these simple words. During a dictionary attack, a hecker's program automatically tries every word in the dictionary, including common permutations such as using "3" instead of "E" and others you might not even have thought about.

Tip: Never use a word even misspelled.

Also a dictionary attack on these kind of simple words will only take a few seconds to crack it. People writing password crackers know all the permutations (using a "3" instead of an "E" for example) that you might know and even some you never thought about.

Never use a word even misspelled.

What is a good password?

A good password is a sequence of random characters, the longer the better. This sequence should include letters, numbers and "special characters". famx+.quVg for example, is a good password. Ok, not anymore, because it has been published on this blog. 9TRr9fujABKCONEkW3GR6FmIK6zfcjcD1Iei+lLJ is an even better password. The problem with these passwords is that they are impossible to remember. And it's even harder when you have dozens of accounts. Remember that you have to use a different password for each of your accounts. This way, if one account is compromised it won't affect all the other ones.

What to do then?

Password manager

Use a password manager! A password manager will store the passwords for you in a strongly encrypted file. Most of the time the password manager will fill the user name and password fields of a web page for you automatically, preventing key logger spy ware to read the password as you type it.

Here are some of the password managers that I have tried and I like. There is other products offering a different set of features.

Even Apple KeyChain is better than nothing.

One Time Password

A One Time Password or OTP is a password that is valid only one time. The next time you will have to login on that same web site you will have to use a different password.

Many major web sites, such as Google, Dropbox, Twitter or Github, now offer an OTP solution. It is some time clearly advertised sometimes it is hidden. You will have to dig in the settings to find it.

It is usually easy to setup:

  1. Download an app on your phone. For example DUO works great.
  2. Enable the One Time Password option on your favorite web site.
  3. Scan the qrcode displayed on the screen.
  4. Confirm that you are enabling OTP by entering the code given by the DUO app on your phone.

Here is an example of the login sequence on Dropbox.

  1. First screen asks for login and password
  2. Second screen asks for the OTP (given by DUO)


If you like to work from your Terminal, this function will help you generate random passwords. The generated password will automatically by copied into your cut-buffer. You just have click paste where you need the newly generated password.

Copy the following function .bash_profile and you are good to create new secure passwords as needed.

genpass() {
    local pass=""
    local len=${1:-16}
    local chars="A-Za-z0-9?\!@^=+$#"
    if [[ $((len % 4)) == 0 ]]; then
        pass=$(iconv -c /dev/urandom | tr -dc $chars | hexdump -n $len -e '"%.4s-"')
        pass=${pass:0:$((len + (len / 4 - 1)))}
        echo $pass
        [[ $(uname -s) == 'Darwin' ]] && echo -n $pass | pbcopy
        echo "Error: The password length must be a multiple of '4'" 1>&2

 Password      OTP