Password Generation Principles

December 1, 2016 | Views: 4854

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello, fellow Cybrarians!

Today I would like to introduce you to the fine art of password creation. In the first part of this article, we will discuss the anatomy of a password, and the definition of entropy. In the second part, we will look at some real life examples of easy to generate but hard to guess passwords. So without further ado, let’s begin!

Part I

According to the definition, a password is a string of characters or words which are used as an authentication tool for users to provide identity.
Some of the key attributes of a password are:

  • It must fit into the CIA (Confidentiality, Integrity, Availability/Accessibility) triad.
  • It has to be easy to remember for the user for everyday use.
  • Not easy to guess or brute-force.
  • Can be entered in less than ten seconds to avoid frustration and mistyping.
  • Contains upper and lowercase characters, as well as numbers and non-alphanumeric symbols, like; #&!%() etc.

A really simplified explanation of entropy: Entropy (more specifically, Shannon entropy) is the expected value (average) of the information contained in each message. (Wikipedia)
The Shannon entropy is usually used for calculating password strength. In a nutshell, the higher the value of the Shannon entropy, the bigger information chunks we have to deal with, which increases the possible end results. This makes the adversary’s work harder and harder. Of course, this is a really dumbed down explanation. Further information can be acquired from the provided links, at the end of this article.
Some common entropy values are:

  • Less than 28 bits: Very Weak
  • 28-35 bits: Weak
  • 36-59 bits: Reasonable
  • 60-127 bits: Strong
  • 128+ bits: Very Strong

Part II

As the human mind have the tendency to remember things we do often (habits), we own (items), we are (attributes, characteristics) or are trained to remember (encyclopedic memory) we can utilize these feats.
For example, you can remember what you did  in the morning, what you ate during your last meal, what items are in your immediate proximity.
Let’s say, you have a big monitor in front of you, three pens nearby and ate boiled eggs for breakfast.

Using the principles above, we can generate 3 passwords:

  • Ihave1BigMonitorinfrontofme   Entropy level: 128.7 bits, password length: 27
  • Thereare3PensonmyDesk   Entropy level: 97.1 bits, password length: 21 –Iate2BoiledEggsforBreakfastthisMorning  Entropy level: 186.4 bits, password length: 38.

These simply generated passwords can be used in a weekly/monthly rotation plan, are easy to remember, definitely hard to crack. (Assuming one hundred trillion guesses per second the shortest one will take 1.04 hundred million trillion centuries. Good luck with a dictionary attack.) 🙂
If someone has roughly 5 minutes, and an excel spreadsheet she or he can create a buffer of 30-60 passwords of this kind. Using some kind of password management system, this person has the luxury of almost a year’s supply of secure, easy to remember passwords.
Utilizing the same principle, one’s can create a different set for work (with workspace items), one for social media accounts (household items), and another one for general use (finances, other needs).

Feedback is much appreciated, and thank you for your attention!

Password strength meter and entropy calculator:
Brute-force time calculator:

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. In Brazil the major banking system still accepts only 8 chars length for passwords, or short passkeys/PINs, and some of the biggest banks still do not accept special chars. The they are doing is to implement some kind of dynamic token. I hope they know cybrary as soon as possible.

    • This is a limitation due to the mainframe systems which banks rely upon extensively. The password is typically limited to 8 characters consisting of upper-/lower-case letters and numbers.

  2. i tried this password we generated at
    and this what i found out: It would take a computer about 25 UNDECILLION YEARS
    to crack your password
    for all that long thats lies

  3. the tactic described is good for me i try to do something very different first i dont use the password managers app or everything its just brain work .

    i would try to demonstrate some practical aspect of it.
    1: i mix alot of basic info to make my password: names,no,
    2: let assume your:
    >your name= Harron
    >telepnone= 12234567890
    >girl or by boy friend friends name= john
    > girl or boy friend telephone: 987654321
    >your id= 0123456789
    > your best site= lets assume its gmail
    2: this is basic info that you can remember almost anywhere.mmh
    3: lets generate a password and see how strong it is

    trick behind this :
    1:is take last or first letters or numbers and reverse them in order to preventeasier dic attack
    2: your boy/girl friend has his/her friend that you like use their names
    3: you never forget you id or telephone no… sure you dont mix them at gieven intervals
    4: you best site no body knows or they would think its your email or account if they ever get to know your password which possibility they wouldnt if you have been hacked


Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?