Best practices for creating and managing passwords, supplementing the article at:

• Website security: what to do after your site is hacked, and how to prevent it from happening again

Best practices for website passwords (and all passwords)

Published reports, and my own experience, are the same: Most people use terrible passwords, even if they think they use good ones. Three reasons people use terrible passwords:

1. They fail to recognize the high value of the data that their passwords are protecting. 
2. They are not aware how many other people want that data, and how determined they are to get it. 
3. They underestimate the sophistication of password hackers and how fast their methods are.

Therefore, to most people, passwords are a nuisance, something that gets in the way of easily reaching desired destinations and doing desired activities. But your passwords are the only things preventing other people from going to those same destinations and doing those same activities AS YOU! 

1. Your website, no matter how small it is, is a valuable resource for anybody who can crack their way into it. Your passwords are the only thing protecting it from complete destruction. If someone succeeds at logging in as you, they will do anything they want to your site, and they are not going to be polite about it. 
    
2. If you have a PayPal or other online banking account, your password is the only thing preventing someone else from logging in as you and stealing all your money. 
    
3. If you use an online email service like Yahoo, Gmail, or Hotmail, your password is the only thing blocking someone else from reading all your mail, sending mail as you to people you know (or not), registering memberships in your name at places you'd never want to be associated with, or going to websites where you are a member, pretending that you "forgot your password", and having the password emailed to you -- except that because they can read your mail, it's being emailed to them.  

To a website or other online service, "you" are not a person, but a data connection, a source from which it receives commands and whatever else you type. A hacker is also a data connection, just like you. The ONLY difference between you and the hacker is that you know your password and the hacker doesn't. To the remote computer, a hacker who does know your password is you. They can do anything, absolutely anything, that you can do with your account.

Considering the personal disasters that can result from a cracked password, shouldn't you want to know the best way to create and manage your passwords to prevent those things from happening to you? 

What follows is a list of password rules and explanations for them, to help you create unbreakable passwords and manage them safely. Although some of the comments are directed at webmasters managing website passwords, the same principles apply to everyone whose logins need serious protection, which is everyone.

1) Always use strong (long, random) passwords

A strong password has at least 8 characters for unimportant purposes and at least 12 for any important purpose, and it looks like these:

Any password that does not fit the above description is no good. It does not adequately protect the information it is supposed to protect.

What makes the above password examples good? 

1. Even if a hacker knows absolutely everything there is to know about you, it will not do them one bit of good. These passwords are not based on anything that anybody could ever discover about you. They are meaningless random strings of characters. 
    
2. They are long enough that it would take a fast computer many years to crack them, and no shortcuts will work. The only possible method is by "brute force", trying billions of passwords in the hope of finding the correct one before the hacker dies of old age or the sun goes supernova or the universe collapses into the next Big Crunch. Well, OK, I've already mentioned that 8-character passwords are marginal, and the rest of them are not quite that strong, but you don't have to limit yourself to 12 characters. It is possible to make your passwords that strong, and what could be nicer than a password that you don't have to change for a billion years? You might even be able to memorize it!  

What makes other types of passwords bad? 

The biggest mistake most people make is to use "dictionary words" (real words that are in dictionaries) in their passwords. The problem is that it only takes a hacker about 250,000 tries to run through every word in the English language, and doing that is usually one of the first steps in a password cracking attack. Trying to choose an "obscure" word is pointless. They'll try them all, anyway. And adding one or a few digits to make it "stronger" doesn't help much. The hackers know that trick, and it doesn't take a lot of extra effort to try all those possibilities. Then they go for popular combinations of words, and more. They don't type these passwords themselves. They program computers to do the attack.  

If your password is a strong (long, random) one, it will survive all these attacks. At that point, there is a very good chance that the hacker will give up and move on to an easier target because the next step is a brute force attack, trying all the remaining character sequences, the random ones, which is a poor use of their time because there are lots of easier targets.

The main point is that you can use the available ASCII characters to build billions of times more non-words (random strings) than the tiny percentage of strings that are real words or combinations of them, and your password needs to be outside that tiny percentage, as one of the other billions possible. 

Simulating a dictionary attack: How fast can a computer do something 250,000 times? Click Start to find out: 

Let's give it a more challenging task, updating the value displayed in a text box. Because this does take longer, we'll limit the count to 1,000. [Note: This test runs too fast in Internet Explorer because it doesn't continuously update the value. Firefox does. Haven't tested other browsers.]

 

Another common mistake that people make is to build a password from information that other people might know or be able to find out about them. This is mostly only a problem in the less common situation where a hacker chooses you to be the target of their attack because of who you are, such as if you are a celebrity, or have a lot of money, or are an employee at a company (or government) where they think espionage will pay off for them if they can get into your account. In this case, they'll program their computers to build prospective passwords from any bits of information they can find out about you. 

Even in the more common random attacks, personal information can make your password weaker just because it usually consists of dictionary words rather than random character sequences.

Password strength is top priority because the #1 threat to your website is internet attackers

There are thousands of them, and they will damage your website if they get in. That is why you must use strong uncrackable passwords. You must keep them out. The strength of a password must be the first consideration, the top priority. Whatever other issues or inconveniences result from your having to use a strong password can then be dealt with -- somehow -- but not by compromising the password strength!  

Remembering a strong password is difficult at first. Write it down so you don't forget it.

Many people have heard that passwords should never be written down, but that rule was for U.S. government employees who had to protect secret information from spies rummaging through their desks. You don't have to be concerned about that (I hope). 

• It is a huge security risk, with a high probability that somebody will exploit it, to use a weak password because you're afraid of writing it down and a weak password is the only kind you can memorize.
   
• It is a trivial security risk to write down your strong password. Yes, it's possible someone else might see it, but, seriously, how many of the people around you would actually use it maliciously? How many would even know what it is? Protect the piece of paper with whatever precautions are reasonable for your situation. If really necessary, you can write passwords in such a way that no one will know what they are: make them the first letters of a grocery list, or a personal letter or memo. If you have a password that you must carry into insecure environments, you probably don't need to remind yourself which account or website it's for, so don't write that part down. 

Try to keep your UserNames/UserIDs secret, too

Your UserName or UserID is the other piece of information someone needs to log in as you. Even though it is rarely as cryptic as a password (although for extra security, you could make it so), keep it as secret as possible. If you are a webmaster, don't post your cPanel UserID in forum messages, as some people do.

2) Use a different password for every purpose

Although this section speaks to webmasters, the same principle applies to everybody: Never use the same password in more than one place. If someone manages to crack your Facebook password, you don't want them running over to your banking website and discovering that it works there, too! 

The passwords you use for cPanel/FTP, password protection of folders, database connections, each of your email accounts, and your helpdesk login at your webhost should all be different. Never use a password in more than one login location.

If hackers can get a password from one location (such as an email account), they will test it to see if it will also work somewhere else (such as cPanel, FTP, and even your bank's website, if they know it). This is because so many people use a single password in more than one place. If you use different ones, someone who obtains one of your passwords will only get into one place and will still be locked out of all the others.

Not all your passwords are stored in equally secure locations and formats. Some of them are easier to get than others. Your cPanel password, for example, is normally extremely secure. It is not even stored anywhere in your website files. But if you use the same password for your database connections, it's exposed in plain text in your PHP scripts. If a glitch or misconfiguration on your server causes PHP to stop working, your site could start writing your cPanel password on the pages it sends out. Email account passwords are stored in website files, too. They are encrypted, but someone who gets the files can easily decrypt them offline where it goes much faster. If you use the same password everywhere, it's only as secure as the least secure place where it's stored. 

3) When given a default password, always change it

Anytime you install software that comes with a pre-assigned default password for admin login or for database access (or anything else), the first thing you should do is figure out how to change the passwords, and do it.

4) Only give your password to people who absolutely must have it

If you give someone temporary password access, change the password as soon as their work is finished, no matter how much you trust them. Even if they are completely trustworthy, their PC could get a virus sometime later, and it could steal your password from where it is stored on their PC. You are safer if that password will no longer work.

Summary

1. Use strong (long, random) passwords.
2. Use a different password for every purpose.
3. When you are given an easy, "default", password for something, change it.
4. Only give your password to people who must have it. Change it when their work is done.
5. If your current passwords are weak, go change them now.
6. If you need practice with strong passwords, see below.

Other resources

• There is more about password security and how to create strong ones at Microsoft.
• There is more information about strong passwords at Wikipedia.
• A Wired article, Secure Passwords Keep You Safer, describes how a dictionary attack works.
• Questions, comments, and suggestions are welcome in the discussion forum. 

Strong Password Typing Practice

When you first start using strong passwords, they look strange and unfamiliar. That doesn't only make them difficult to remember. Most people even have trouble typing them accurately. The good news is that the more you work with them, the easier it gets to type them correctly and even to memorize them. That's not only true for a single password, which you will of course memorize eventually from using it many times, but for strong passwords in general. After they stop looking so strange and unnatural, the mental block that most people have against them disappears. Long random passwords become something that you simply know how to work with comfortably.

This online calculator is for password practice in an atmosphere where it doesn't matter whether you get it right or not, or how many tries it takes.

1. Generate a random password.
2. Type the password into one of the two input boxes and click Submit.
3. The Result boxes show whether you typed it correctly.
4. Repeat to prove to yourself that it gets easier with practice.

Where to generate strong passwords

Although the above password generator can be used to generate passwords for actual use, its generation method is not particularly good, and the method is revealed in the source code of this webpage, which could make its character sequence predictable.

Another flaw is that although it does correctly enforce a "password policy" that the generated password must contain at least 1 of each character type (upper case letter, lower case letter, digit, and punctuation if that option was requested), it can still generate dictionary words (or other too-easy sequences) by accident, and it doesn't know how to filter those out. If the password contains a dictionary word, don't use it.

The two best places that I know and trust for generating strong passwords are:

1) Gibson Research Corporation GRC High Security Password Generator

The GRC Ultra High Security Password Generator is excellent, the best, for generating strong passwords for any purpose.

With each page refresh, the site generates 3 strings of random passwords.

• Row 1 (the top row) is only for a special purpose and should NOT be used for general password creation. These passwords are very weak.
• Row 2 is the strongest and best, but not all places that require a password accept punctuation.
• Row 3 without punctuation is strong and acceptable everywhere, and is therefore the most usable.

2) cPanel Password Generator

cPanel now includes a good password generator for changing your website password. It can be used, although it's inconvenient, for generating passwords for other purposes.

1. In your cPanel, click the Change Password icon.
2. Click Password Generator. In recent versions of cPanel, there will be a popup box with a password in it. Click Advanced Options to see more generation options. If you're creating the password for something other than changing your cPanel password, copy the password and click Cancel. Your cPanel password doesn't get changed unless you click the "Change Password" button, after filling in all the other boxes, too.
3. If you're registering at a forum somewhere, and have nothing important stored there except maybe your email address, you can use 8 characters, but for any important purpose, and especially your website admins, 8 is not enough.

Other notes

• A 12-character password with upper/lower/digit/puncutation is approximately equivalent in strength to a 14-character password with only upper/lower/digit, so if you omit the punctuation characters, add the extra length to compensate.