Whiteboard Wednesday

How To Pick a Good Password

August 16, 2017

In this week's Whiteboard Wednesday, Jay Radcliffe, senior security consultant at Rapid7, offers some tips and tricks for creating a strong password in today’s security landscape (hint: it involves more than swapping an "i" for an exclamation mark). Watch to learn more.

Video Transcript

Hi, welcome to Whiteboard Wednesday. I'm Jay Radcliffe, senior security consultant for Rapid7. Today we're going to be talking about how to pick a good password.

Show more Show less

Passwords are one of those things that all of us have to have. It's not necessarily the greatest security in the world, but it's certainly something that all of us use to secure our bank accounts, our utility bills, and our Amazon account from things that we're going to buy.

But first, let's talk about what makes a bad password. The first thing you need to know about bad passwords is they're usually based on a single word. And this kind of goes against what the common knowledge about passwords are, which is pick something that you can remember. But you have to remember that our technology has grown quite a bit recently, and a single word-based password is something that's very easily cracked by attackers and different adversaries that we have.

So you can see a password like butterfly, even if you substitute 3 for an E and an exclamation point for the L, is still a very weak password. These very basic permutations on a single word are not adequate enough anymore for a good password.

The second thing that makes a bad password is its length. If it's really short, like a single work of banana, which is only seven characters, that's going to be very easily cracked by bad guys. Bad guys have the ability to crack passwords at billions of passwords a second. So short passwords are easily cracked by these types of attacks.

So, I know you're thinking, "Well, what makes a good password?" A good password will always have multiple words in it, hopefully more than three. It's also going to be very long. Standard best practice now says that passwords should be longer than 15 characters in length. And third, a password should be easy to remember. You shouldn't have to struggle to remember it every time you need to use it, or write it on down on a Post-It note so you can post it on your monitor or keyboard.

A good example of a password that's secure is "9HappyMooseDancing?" with a question mark. We have a long password, much longer than 15 characters, it's using an upper case, lower case, special character, and a number, and it's also comprised of multiple words.

But more importantly, it's going to be easy to remember. Every time you go to use this password, you're going to see 9HappyMooseDancing in your head, and that's going to be a very easy reminder of exactly what that password is going to be. So, please try and use these strategies for picking your next password.

That's it for this week's Whiteboard Wednesday. We'll talk to you next week. 

Security Awareness Training

Employees are a critical part of an organization's attack surface. Learn more about how to educate them on subjects like password security.

Learn More

The Attacker's Dictionary

Find out which credentials scanners are using to test – and likely compromise – internet services.

Download Report