Jump to "four random words" password generator
Jump to "random characters" password generator
Too many sites have byzantine requirements for passwords that don't actually help make them all that much more secure. Some sites require you to change your password regularly, which probably has more drawbacks than benefits. Below, I will give you a couple of ways to generate a good password. However, it turns out that how you manage your passwords is perhaps more important than the choice of the password itself. As long as your password isn't too short (at least 8 or 12 letters long) and isn't a dictionary word, common proper name, or common thing like "password123", your password is less likely to be guessed than it is to be lost other ways.
If a password isn't leaked, there are a few general ways it can be guessed: a dictionary attack, using personal information, and brute-force cracking. Dictionary attacks and brute-force cracking usually require offline access to a password database. A well-designed password database will store your password encrypted, so attackers can't just read it off if it's leaked. In both of these cases, they then try lots of possibilities to see if they encrypt to the encrypted form of your password. These attacks can go over the net, but the large number of attempts necessary will tend to make the attack noticed by security monitoring software.
A dictionary attack is where the attacker tries words from a list against the password. There are many fewer six-to-twelve letter words than there are combinations of 12 random letters. If your password is a word in the dictionary, then it's easy to guess. Even if you try to substitute some letters for numbers and symbols— using "p@ssw0rd" instead of "password"— that is also easy to guess, as password crackers all know the common substitutions. A good password should not be a dictionary word, and ideally should be randomly generated.
Attacks that use personal information might be more, er, personal. Bad passwords are any word that is connected to you somehow; your birthdate, the name of your kids, the city where you were born, etc. All of these things can be automatically guessed by scraping information about you from the web. If somebody is targeting you personally, then they might try other things they know about you: your favorite color, the name of your first pet, etc. Even if you substitute letters with numbers and symbols (so that the name Robert becomes R0ber+), these passwords are not very secure.
A brute-force attack is like a dictionary attack, only here the cracker is not assuming that the password is a word or a name or something intelligible, but could really be a random collection of letters or words. For, say, an eight-letter password, a computer tries every single combination of eight letters to see if it works. That amounts to 26⁸, or 100 billion, different passwords, even if the password is only lower-case letters. While 100 billion sounds like a lot to you and me, it's actually not as much to a computer nowadays as you might think. When evaluating the strength of a password against a brute-force attack, people often talk about "bits of entropy". More bits of entropy means more tries, on average, somebody will have to make before stumbling across your password. Eight lowercase letters, assuming they're chosen completely randomly, have about 37 bits of entropy.
How many bits of entropy is enough? More is always better, of course, but passwords become more cumbersome the longer they get. Adding even one bit of entropy approximately doubles the amount of time it takes to crack your password. It makes a difference whether your password is attacked online, or if the attacker has the encrypted password on their own computer. In the former case, 37 bits of entropy is almost certainly sufficient. In the latter case, somebody who knew what they were doing using a standard high-end graphics card could crack that password in minutes, although it depends a lot on the algorithm used to encrypt your password. If you want to be secure against people who are really serious about cracking your password, you probably need 100-200 bits of entropy. However, such passwords are impractical (do you want to memorize a random string of 40 or more letters?). Myself, I tend to aim for around 60 bits of entropy in my passwords.
How you handle your passwords is more important than what the password is. You should do all of the following:
Don't use the same password twice. This is the biggest mistake most people make: they use the same password everywhere. The problem is that there are security breaches all the time. Databases of passwords get leaked. If you've used a password in a leaked database, and it's associated with your email address, then bad actors will try using your email address and that password at all other sites. You can avoid this problem by using different passwords everywhere.
This can get a little overwhelming, especially now that so many websites ask you to register for an account before you can read or post anything. What I do is have one "throwaway" password I use on all sites where it's not that big a deal if all of those accounts are compromised. However, for your bank, for your email, for any login at work, for anything you've paid money for, and for anything that could cause serious embarrassment if your account was hacked (this would include all social media), you should use a different password for every site.
Never send your password through email or text or other open communication. Having your password sit on an email server provides another place where a security breach may release it to the world. If you must email a password, learn how to use cryptography software and send the password encrypted. (Sadly, good solutions for encrypted email exist, it's never received wide adoption, likely in part because government and law enforcement always push objections and raise fears of terrorists and the like.)
Don't tell other people your password. If the system administrator of your bank (or any other place you have an account) asks for your password, don't give it to them. They don't need it. (If they do, they've designed their system very poorly.) They can do the superuser things they need to do without having to have your password.
Writing your password down might be OK. This depends on the password. Don't leave your work password on a sticky-note on your work computer; then anybody who comes to your desk can log into your account. However, if you keep a notebook at home where you record your logins to various online accounts, this is actually not as big a deal as it might seem. (Just be prepared to change all of them if you lose the notebook or if your house gets robbed.) However, there's a better solution:
Consider using a password safe application. There are applications that store all your passwords encrypted. That way, you only have to remember one password— the one you used to encrypt your list of passwords. These applications generally let you cut and paste the password into your web browser, or wherever you need it. This lets you use a completely different, completely unrememberable password for every account. Store it in your password safe, and, whatever you do, don't forget the password you use to unlock that password safe. You can find lots of password safe applications out there, but one I recommend is the cross-platform open-source KeePass. You can run it on any operating system, and share the password safe file between devices. (Personally, I just use an encrypted text file, but the principle is the same.)
A dictionary attack works because if you choose any word randomly from the dictionary, it only has about 15 bits of entropy. However, if you choose four random words, you're up to 60 bits of entropy. This method of creating passwords was popularized by Randall Munroe in his correct horse battery staple XKCD comic. (Note that he lists 44 bits of entropy, whereas I list 60. The difference? He's assuming "common" words, which are easier to remember. I'm randomly choosing words between 4 and 8 letters without requiring they be common.)
Here's the catch: for this password to be good, the words have to be truly random. If you just think up four words yourself, you have many fewer bits of entropy than you would with random words. People will tend to think of certain words together, and sophisticated password crackers will take advantage of this to reduce the number of word combinations they have to try. How do you generate random words? With a computer. Click the button below to generate a "four random word" password.
Words between and
letters,
words that start with a capital letter (proper names, etc.).
These sorts of passwords are harder to remember than "random words" passwords, but they require less typing. Again, the password is better if the characters are truly random, which letters you think up out of your head won't be.
random letters
Include capital letters?
Include numbers?
Include random symbols? (Symbols used: !@#$%^&*()_-+=:;,.<>/?~{}[]|)