Choosing a Good and Strong Password

June 12th, 2011 by Tony de Jesus

Screenshot of a password field on a websiteYour password is what proves to the system that you are who you say you are. It’s like a key that opens the door to your account, computer, etc. and exposes all your data. You can’t login into your email, twitter, facebook or similar account without using your password. Until we can do retina scans like in James Bond movies, passwords are the only choice. Anyone who knows your password can pretend to be you. So we need to be very careful with the passwords that we choose. In this post I’ll show you a way to do this.

How NOT to Choose a Password

Here are some of the types of passwords that will be picked up by crackers:

  • Common words.
  • Words in any dictionary.
  • Your user name.
  • Anyone’s name (remember that crackers don’t need to know that your first teacher’s name is Claire, or that your Dog’s name is Bobby, but it’s easy enough to get a list of 100,000 names and try each one).
  • Stuff like ‘123456’ or ‘asdf’ or even ‘qwerty’.

How to Choose a Good Password

Choosing a good password is not an easy task. We need to use a strong password, really difficult to crack but we also need to remember it everytime we need to use it. One simple technique to achieve this is thinking in a phrase that we won’t forget. For example:

The best football club ever is Barcelona FC

Now, pick the first 2 letters of each word:

Th be fo cl ev is Ba

Here we have a good password, with upper-case and lower-case letters. If we want to complicate it a little bit more, we can replace some letters by numbers. For example, replacing all A’s by 4’s, E’s by 3’s I’s by 1’s and O’s by 0’s, we get:

Th b3 f0 c1 3v 1s B4

And here we are: an apparently random generated password but that actually was generated using an easy to remember phrase. I’d really like to know how long it would take for a cracker to guess this one. You can also complicate it more by replacing, alternately, all spaces by commas (,) and dots (.) or other characters that only you know. The point is to remember the phrase and method (algorithm) used to generate the final password.

Bonus: PHP function to generate random passwords

I’ve written this small function in PHP language to generate random passwords. This function receives two arguments: the length and the strength of the password.

Attention: this function was not written to generate easy to remember passwords. The final result is totally random. Is up to you find a way to remember the generated password.

* Function to generate a random password
* @param int $length the length of the password
* @param int $strength the strength of the password (how difficult it will be). Min=0, Max=3
* @return string the generated password
function generatePassword($length=6, $strength=0){
     // The set of characters that will be included on our password
     // By default, only lower-case letters.
     $characterSet = 'abcdefghijklmnopqrstuvwxyz';

     // Test the value of the strength argument
          case 3:
               $characterSet .= ',.;[]{}_';
          case 2:
               $characterSet .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
          case 1:
               $characterSet .= '1234567890';

     $maxIndex = strlen($characterSet) - 1;
     $password = '';
     // Get random characters from the $characterSet
     for($i = 1; $i <= $length; $i++){
          $randomIndex = rand(0, $maxIndex);
          $password .= substr($characterSet, $randomIndex, 1);

     return $password;


// This will generate a weak random password with 6 characters

// examples of generated passwords:
// ofqkyu
// wvgosw
// eqfxlx

// This will generate a strong random password with 8 characters

// examples of generated passwords:
// [AWy7GL{
// 8NOFfe_s
// QifMRu3g

So, what do you think? Is this method to generate passwords good enough or do you know other one better? What about the function? Share your thoughs in the comments section.

, , ,


Leave a Reply