Creating “Long and Strong” Passwords

This blog entry is one of a number of blog entries on the IS Security Blog on password security. The entire category can be visited at the URL: If you are just looking for advice on choosing an appropriate password, two possible methods follow immediately; if you are wondering “why?”, then please read on as the explanation is at the end.

Method 1: The Passphrase

  1. Generate a list of 3 or 4 random memorable words: treeiron, tee.
  2. Capitalise one of the letters in each word (it would be sensible to pick the same letter for each word): treEiroNteE
  3. Concatenate the words together using a favour punctuation mark to separate the words: treE&iroN&teE

This could also be called the “xkcd” method after a well-publicised cartoon criticising conventional password generation suggestions.

Method 2: The Song or Poem

  1. Pick a song or poem.
  2. Pick a line from that song/poem: While I nodded, nearly napping, suddenly there came a tapping
  3. Take the initial letter of each word: WInnnstcat
  4. Apply a selection of heuristics to add complexity :-
    1. Change letters into numbers: W1nnnstcat
    2. Change duplicate letters into a count and a letter: W13nstcat
    3. Change certain letters for punctuation: W13ns!c@!

And that is your password! The only danger here is picking a poem or song with really short lines – “sus” (“sifted, unfallen snow”) is not a suitable password!

There is also a video produced by Sophos with an alternative explanation of the same method :-


Passwords are a somewhat unfortunate solution to the problem of ensuring that an individual using an account is the person authorised to use that account, but they are the best solution we have at present.

Most other solutions are either too expensive to implement, or too unreliable. For instance biometric devices don’t always authenticate, and magnetic card reads attached to keyboards are still somewhat expensive.

And we do need to be aware that people are trying to break into accounts on the network for all sorts of nefarious purposes … ranging from using the account to send bulk emails (spam) with, to emptying bank accounts.

We have recently started encouraging people to use “long and strong” passwords for their accounts, but what does this mean? And how can you generate a “long and strong” password ?

The “strong” part of the phrase is a suggestion to avoid using a password that can be easily guessed which sounds like it would be easy to do. But with automated password guessing, it is possible to make enough password guesses to make it much harder to create a “strong” password. Anything based on a single word such as cloud (including c10udclOudcloud7duolc, etc.) is weak – most imaginable transformations of a word can be guessed. And don’t imagine that using words in a language other than English helps! Password cracking word lists contain words in many languages including relatively rare languages such as Welsh and Basque!

The “long” part of the phrase refers to the overall length of a password. If “password hashes” somehow escape, an attacker could use a brute-force password cracker to easily break any password less than 7 characters in length – 6 character passwords took 37m on my own home machine several years ago – and an attacker with access to more computing resources could get passwords up to 9 characters in length relatively easily. And the minimum length for a sensible password keeps going up every year.


This entry was posted in Uncategorised. Bookmark the permalink.