Everything I’ve ever said about passwords was wrong

Well, not quite, but there is one fundamental thing about passwords that I and almost every other security expert has overlooked. For a long, long time, we in the security business have been thinking about maximal strength, maximum entropy, minimal length passwords; we have been saying things like “minimum eight characters, upper and lower case letters and special characters in a random mix” is the best approach. That certainly makes for unguessable passwords, but it also makes them very difficult to remember.

So, throw out everything I have told you about creating strong passwords. I’m going to start over with a simple concept that will not only allow you to create completely hacker-proof passwords, but those passwords will be so easy to remember, you’ll never have to write them down. You can even use the word “password” if you want. It all starts with the fact that a hacker has no idea what your password is to begin with.

All will be revealed in my next three posts entitled, “The new password paradigm,” parts one, two and three.

Stay tuned.

Posted in:
About the Author

Ken Harthun

Ken is our resident security expert with years of experience in the field. He can also carry a tune as an accomplished musician. Ken has written for many publications and presently is a contributor to IT Knowledge Exchange.


  1. i meant after going to #3
    How to create and use an unguessable password

    that’s where you lost me after the first paragraph.