top of page

Constructing strong passwords

Updated: Sep 6, 2022

Dr Craig Valli and Dr Ian Martinus

Constructing strong passwords is relatively easy to do but something that is generally not explicitly taught or explained, so here goes.

What makes a strong usable password?

  1. Complexity – the more entropy/randomness the better

  2. Length – longer the better

  3. Something that is easy for the owner to remember/recall/retrieve


The concept of complexity is where it gets somewhat silly. Complexity is a weapon against humans ability to remember a sequence characters e.g thisisapassword123 which is 16 characters long can be easily remembered but ihti2ssro3wda1pa is somewhat more difficult to remember, this prevents a common attack called shoulder surfing when someone stands off and reads the password as its entered either on the screen or looking at keystrokes. It is also a weapon against dictionary based attacks where cyber criminals will break passwords by testing the password against dictionary words and known patterns and combinations of same an all too common one found in password audits is password1 or password(insert favourite number) e.g password4 or for the more witty password666. All very bad choices because they lack complexity.

Back to thisisapassword123 it can be improved by some randomness and some special charactersThisiz!Apasswerd123? what has also occurred is a growth in length…good


Password length matters you should always use a password that is as long as possible i.e if it allows for 64 character passwords then use a 64 character password! First word of caution some older system what we call legacy systems use a maximum of 8 characters only…yep they still exist. If you have a system like this then you are strongly advised to replace or upgrade it with a more robust system that has a longer password length. We will cover other countermeasures for these systems that can not be replaced in later guides. So why does length matter…well maths really and we will explain this at simple level if you have

1 character you have just with alpha lower abcde…26 choices or alpha upper ABCDE…26 choices…. 52 choices or a 1 in 52 chance of guessing the correct password if you have 2 characters

2 character you have 1 in 52 and 1 in 52 or 1 ~ 2600 chance

An eight-character password using only lowercase and uppercase characters has around 100 billion possible combinations. Which seems like a lot of combinations and if you were writing them out as a penance it would take a while, but we use computers and a good gaming computer with a high end GPU these days would be capable of cracking passwords at around a 1 billion a second so about 3-5 minutes per password.

If we tweak that to 9 characters and mix it up (complexity) and we use (2 uppercase letters, 3 lowercase letters, 2 numbers, 2 special characters) we get 949 or 572,994,802,228,616,704 combinations or a maximum of 18 years (1 billion keys a second) to completely calculate all the combinations referred to as a keyspace. The reality is that it could terminate before then but you start to see why length is important. It fast becomes what we call infeasible currently to attempt it once the length is 40 plus.

Something that is easy for the owner to remember/recall/retrieve

Some of you could say it is sort of a moot point if you have read the other two sections. But wait! You can create complex passwords through using readily re-callable context based passwords that you construct. For example:

“My name is Craig I am 57 and work at safe n secure cyber”

so you can get “MniCIa5awasnsc” 1st character of each word/number 14 characters long

to get “MynaisCrIam57anwo@sansecy” 2 characters of each word/number plus add a “special” replacing at with @ which is now 27 characters long and complex.

The other way is to have a book, a novel, a bible and use a method to identify by page and paragraph and do the same techniques. Just do not use a highlighter pen on the pages to mark the password string.

The other is retrieve a password we do not recommend you maintain a document or spreadsheet on your PCs hard drive. We recommend you use a password manager we use LastPass. There are now also competent secure password managers in good mainstream browsers e.g Firefox, Chrome. There are some pro and cons with using Password Managers but we believe the pros far outweigh the cons for most users.

Pros Generates good strong passwords

Easy to retrieve

They are typically expert in security of their apps/features

You can back up all your passwords securely

Typically have functions that prevent weak passwords and audits your passwords

The free ones are good enough for most users

Cons You are trusting someone else to secure your password list

Single point of failure (use a bad password and your passwords are all compromised in the one place)

Not all of them have enterprise management functionality

Some do not work seamlessly on all systems

Test your passwords

You should test one of your password proxies….yep do not use your real one, but we do suspect that a lot of you will most probably change your real ones after using this

See if your accounts and password have been exposed in cyber breaches is the website to test at (made in Australia btw). You just put in your known email addresses and hold your breath. If you are “pwned” then you need to change that password on the identified account immediately why because the bad actors already have it people. Likewise if its your “go to” or “smeagol” password then you need to change it on your other accounts and please use a different password for each account.

31 views0 comments


bottom of page