How-To Geek

Using Password Phrases For Better Security

Did you know that Windows supports using passwords of up to 127 characters? I don’t use passwords anymore, and I haven’t for years. I’ve switched to using password phrases instead.

Why do I use password phrases?

  • Why would you want to remember a password like 2%d7as$d when you could just remember a sentence like “nsync sucks giant monkey balls” or “I hate my ex-wife!” or “Holy hell does this job suck!”
  • You can use uppercase, lowercase, special characters, or even spaces… but you are using them in context, which makes it much more natural to remember.
  • Post-it notes on your monitor are not secure. Sorry.
  • Even the most efficient forms of password cracking, using pre-computed rainbow tables, will never be able to crack a password with 20 or more characters.

These days, windows passwords can be cracked in no more than a few seconds. If somebody can get physical access to your machine, they can boot off one of the hacker tool cds available all over the internet, and they will typically have your password in seconds, if they know what they are doing.

Even with brute force cracking, there is no possible way that you can crack a password that long. Even if somebody had the super computing power to do so, hopefully you change your password every few months or so.

It may be difficult to use password phrases on other operating systems, or especially on websites, because they don’t properly handle spaces in the password, or have a small password length limit. One of the tricks that I usually do is use a password phrase without the spaces, if I possibly can.

So go change your password now.
Note: For more information on this topic, you can check out Robert Hensing’s blog over at Technet.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 02/4/07

Comments (11)

  1. Daniel Spiewak

    If I actually had physical access to the machine, I could have any password in seconds, no matter what it is. Actually, more precisely I could reset the password in seconds. This is because NT keeps passwords in a special encrypted file on disk. People who know what they’re doing (and who have a *nix based live cd) can access this file fairly easily and edit it directly. Then, you boot to the OS and login to the aforementioned account using the new password.

    Moral of the story? The most secure password in the world will not save you from someone who has physical access to the computer (unless you’ve actually protected the BIOS or use biometric authentication, in which case it gets a little more complex).

  2. The Geek

    How right you are, Daniel. I’m just trying to advocate better passwords =)

  3. Allen Schaaf

    Actually full disk encryption will prevent this mode of attack as you need the pre-boot password in order to access the file on the HD. Even yanking the drive and installing it on another computer will not allow access.

    However, you’d better have a safe and secure way to save/recover the pre-boot password or you will lose all your data for good.

  4. Mel

    Please, show us how you will edit the windows encrypted password file when booting into edu-nix.

  5. manny

    IIRC, in WinXP, you could ‘safe boot’ into a hidden ADMINISTRATOR account. from there you could delete other peoples passwords, and make new ones, too.

    is this vulnerability still in WinVista?

  6. GeneralProtectionFault

    Truly, if one has physical access to your Windows PC, there is not too much you can do to prevent full and unrestricted access.

  7. Deneb

    But how can you crack into a laptop with fingerprint reader at first place?

  8. bhoyet

    hi there every body hope every things are doing great to each and all of you I’m new here i need a help from you guys can pls some one out here can give me a help i do have a dell dimension 2400 bios A05 and i try to reboot it a couple of weeks ago. and try to up grade a hard drive in too an 80g co’z my old was only 40 it is possible to do that buy not replacing any other hard ware like memory card etc. and while i was try to reboot it all of a sudden black screen came out start asking for a password and it say’s secondary drive 1 not found it’s been a long year and this desktop has never been reformatted and i don’t have any idea where i can get the password should i call dell or there’s a website where i can get a password in order for me to reboot this desktop? thank you guy’s and i will really appreciate your help.

  9. Jordan S.

    I need help!!! Idk how to get into my user. I’m the only user on my computer and I forgot the passwod. Can anyone tell me how to get into my computer? It’s been like a month and I’m still stuck!

  10. George Spelvman

    Personally, I could do without the obscenity used as an example.

  11. Mh

    What is proposed here is not secure enough especially if taken lightly. The example, for instance, can be cracked in seconds on a personal computer without actually knowing more than it is a common phrase or a short phrase.
    The password “I hate my ex-wife!” would have a complexity of around 50 bits (10 x 5 words) if the phrase wouldn’t be common and the words would be randomly distributed. It’s complexity can’t be the 90 bits (5 x 18 chars) complexity of a case insensitive alpfanumeric random password of that length. That is because it uses common words (each means around 1024 (10 bits) options) and the various combining methods add just a few more bits. A list of 1 million common phrases has 20 bits complexity. Also, even if not common, if you include the common language combining rules to the above phrase you remain with largely 2 words (“hate”, “wife”) and a few extra bits for guessing the applied rules (~24 bits). NIST recommends 80 bits of complexity. If you want your password to be as strong as your encryption you would need a 256 bit strong password for a 256 bit AES encryption key.
    To respect NIST recommendation for safe passwords you need at least 8 truly randomly chosen words in your phrase (“I”, “my” and “ex” are not truly random in that context). Not using common words consistently and randomly may reduce the number to 6 (14 bits/word ~16.000 word list).
    PS: There is something I don’t get in the usual password rules. Why can’t I just use letters and numbers and have a somewhat longer password. The math is: 12-13 truly random symbols for a complex password with all the available stuff on the keyboard and 16 symbols of equivalent security using only truly random small case letters and numbers. For the 6 character requirement of most web-sites it would largely mean 2 characters more if you use only small letters and numbers and that is much easier to write and remember.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!