Problem solve Get help with specific problems with your technologies, process and projects.

Reduce resistance to creating strong computer passwords

You've heard all about the need for strong passwords, but implementing them is easier said than done. Users often resist using complex passwords or their use results in increased help desk calls. Contributor Serdar Yegulalp provides some practical ways to implement strong passwords that foster cooperation by users.

In the beginning, there was the password and little else. Now, the presence of two-factor authentication, biometrics and other multi-faceted security measures -- often used in conjunction with passwords -- means the days of simple passwords are numbered.

Even if you're using computer passwords in conjunction with other authentication measures, that's all the more reason to make sure the passwords you allow in your organization are strong. To that end, here are some password guidelines derived from experts who set policies like this in their own organizations.

Ground rules put you on the right path

Let's start with a few basic password pointers that cut down on the most obvious password weaknesses:

  1. Never allow users to create a password that is less than eight letters. The longer the password the better, and eight letters are about the limit for what people can remember without having to write things down. For that reason, anything more than eight letters is not recommended.
  2. Never allow passwords that are dictionary words. If you set password rules, try to force the inclusion of at least one number somewhere to deter people from using such words. (There are some ways this rule can be bent, however; see the "Pre-Generated Passwords" section below.)
  3. Rotate passwords regularly whenever possible. Set a time period for passwords to expire, and do not allow a password to be re-used if you can help it. Windows has policy settings that enforce this rule. Use them.
  4. Use a sensible password-lockout policy. If you choose to lock an account after multiple failed logons, set the threshold at a sane level that will not inconvenience users but will still foil scripted break-ins. You can lock out someone for ten minutes after, say, ten failed password attempts (more than enough for even the most butterfingered user) and report any additional login failures beyond that as a way to determine if someone may be trying to systematically hack his way through.

The native Windows password-enforcement system has some limitations in terms of what it can look for, so it never hurts to get additional help if you aren't too confident with the passwords people are choosing. Anixis' Password Policy Enforcer might be able to help with that. It allows the administrator to supply custom feedback for badly chosen passwords and can even screen chosen passwords through a dictionary system to make it less likely that people will choose weak passwords.

Long mnemonics make handy cheat sheets

One of the simplest and most effective tricks I've seen for creating reasonably secure computer passwords is to use a long mnemonic. Here's how this works: Take a line from a favorite song or poem and convert it into a password by using the first letter of each word. "Ticking away the moments that make up the dull day" becomes tatmtmutdd -- maybe not easy to type at first, but relatively easy to remember, and that's what matters. For additional security, try a song lyric that has numbers in it as well -- "Sixteen vestal virgins leaving for the coast" becomes 16vvlftc.

To add even more security to this scheme, use character substitutions -- @ signs for a's, # for d's and so on. This would take tatmtmutdd above and render it as something like t@tmtmut##, a password that would not break easily under a brute-force attack.

Pre-generated passwords

Another way to prevent people from picking weak passwords is to generate passwords for them. Users can put up a lot of resistance to pre-generated passwords simply because they don't want to be assigned one that they may have trouble remembering. You can get around this problem in a couple of ways. One of them is to generate passwords from two or more existing dictionary words, and modify them in such a way that they cannot be easily guessed through a dictionary attack. This is the method adopted by a program called the Random Password Generator, which you can use to easily mass-generate passwords for users.

Another interesting solution I've seen for difficult-to-remember passwords is a system that creates passwords that resemble words in the English language but aren't actually words. They can be pronounced, since they're constructed according to statistical approximations of the way phonemes appear in English, but they don't correspond to any real English words. Tom Van Vleck has created an online Java-based generator for such passwords, and there's a standalone password generator application for both Windows and Macintosh called XYZZY, which uses the same algorithm.

Simplifying browser-based logins

For passwords used in multiple Web-browser-based logins, one powerful and inventive way to handle the problem is a master password bookmarklet -- a piece of JavaScript embedded in a bookmark -- written by Chris Zarate. It uses a one-way MD5 hash algorithm to create a secure, domain-specific password from a master password and a domain name. This way, the user doesn't have to remember multiple passwords for multiple domains, and you can set up the bookmarklet to require the master password each time for additional security. Thus, no data is stored on the user's computer that can be reverse-engineered. I've used this as a way to standardize all of my domain passwords with great success. Note that it works best only if you're dealing with multiple domains or IP addresses; it's not as effective or necessary for an intranet that users access via a single internal domain name.

Serdar Yegulalp has been writing about computers and IT for more than 15 years for a variety of publications, including,, InformationWeek and Windows magazine.

This was last published in November 2008

Dig Deeper on User passwords and network permissions

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.