An attacker who wants to break into one of your accounts manually might first try likely passwords such as your pet’s name, your anniversary, or other terms that are significant to you. If that doesn’t produce results quickly, a hacker might turn to a program that rapidly tries each of the thousands or even millions of words in a big list—a procedure known as a dictionary attack. Some dictionary attacks are quite clever, checking not only common English terms but also foreign words, common misspellings, words in which letters have been replaced by numbers or symbols (such as @ppl3 for Apple), and easy-to-type sequences of characters, such as poiuytre.
If that doesn’t work, and if someone has the time and motivation, the next step would be a brute-force attack. In this type of attack, a computer program tries every possible combination of characters until the password is found, although current technology puts practical limits on the extent of such attacks.
When you create a new password, the trick is to come up with something that a dictionary attack could never discover, and to make the password long enough and complex enough that even a brute-force attack couldn’t succeed because it would require too much time and processing power. Here’s how:
Make them long
Passwords become exponentially harder to crack with each character you add, so longer passwords are much better than shorter ones. A brute-force attack can easily defeat a password with seven or fewer characters. Your mandatory minimum should be eight characters. Even then, you need to make those eight characters count: a randomly generated eight-character password using letters, numbers, and symbols (for example, h7%R9#jA) is vastly more secure than an ordinary eight-letter word such as licenses. You’ll get the best protection from a random password of at least 11 characters or a non-random password of at least 17 characters (make sure that the password is not discoverable in any dictionary).
Start with a sentence
True mathematical randomness is hard to come by, but for a run-of-the-mill password, what counts is that a computer couldn’t discern obvious or personal patterns in it. One common way to create a random password is to turn a sentence that you can easily remember into a password by using the first letter of each word, perhaps substituting some numbers as appropriate. The string ZTwt12potUS, as it follows no apparent pattern, might be a good choice. But it’s still quite memorable because I derived it from the sentence “Zachary Taylor was the twelfth president of the United States.”
Spell out a sentence
Systems vary as to the maximum password length they permit, but in cases where you have a large maximum, such as 32 or more characters, you can use an entire sentence. Because spaces, apostrophes, and quotation marks sometimes confuse computers when used in passwords, leave out those items—but keep other punctuation (such as a period), and include at least one digit for extra security. For example, Mymotherwas30yearsoldwhenIwasborn. and IwasinNewYorkonDecember31,2000. are splendid passwords.
Mix and match
Even though words, names, and dates someone might associate with you make poor passwords, you can produce much stronger passwords by combining several terms in unexpected ways. For example, if you combined your first pet’s name, the last four digits of your phone number when you were growing up, and your high-school mascot, you might get something like Fluffy3057Bears. Any one of those terms alone might be guessable, but the combination probably won’t be if it’s long enough.
Try a password generator
Password Assistant is an excellent password generator built into OS X. To use it, click on the key icon next to the password field in places such as Keychain Access (/Applications/Utilities), the Accounts pane of System Preferences, or the Set Master Password dialog box in the Security preference pane’s FileVault tab. If you’d rather access Password Assistant like an ordinary program, download Code Poetry’s free Password Assistant utility.
Once you access Password Assistant, you can choose a password type (such as Memorable or Letters & Numbers) from the Type pop-up menu, move the slider to determine how long the password will be, and then choose any of ten suggested passwords from the Suggestion pop-up list.
Agile Web Solutions’ outstanding $40 1Password utility ( ) includes a flexible password generator among its many features. Andrew Hedges’ free Make-A-Pass is a password generator in the form of a Dashboard widget.