How to create and use an unguessable password


A weak password, one that can be easily guessed, is almost as bad as no password at all.

For example, if you use a password that conforms to common patterns that most people tend to use, it can be easily guessed. According to Wikipedia, repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:


  • blank (none)

  • the word “password”, “passcode”, “admin” and their derivatives

  • the user’s name or login name

  • the name of their significant other or another relative

  • their birthplace or date of birth

  • a pet’s name

  • automobile licence plate number

  • a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.

  • a row of letters from a standard keyboard layout (e.g., the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)

So, the lesson here is simple – Use an unguessable, or difficult-to-guess password always.

What’s an unguessable password?

I’ve given some examples of easily-guessable passwords–what not to do. Now I’ll give you an example of one thing you can do to create strong, unguessable or difficult-to-guess passwords.

By far, the most unguessable password would be a string of random characters like ‘Qt6W’{/b?@mn,QL”Q% and the longer, the better. Sure, a computer could eventually discover such a password using a brute force attack, but it gets more difficult the longer you make your password. For example, to crack the above password, assuming a supercomputer that can guess a billion passwords per second, it would take 10,533,833,066,248,927,000 (10 quintillion, 533 quadrillion, 833 trillion, 66 billion, 248 million, 927 thousand) years to look at all the possible combinations. Shorten that password to 9 characters, and it would only take 26 months.

There are plenty of password generator programs available. GRC’s Ultra High Security Password Generator page is a good example. The problem with such passwords is that they’re impossible to remember; you have to store them somewhere or print them out. It’s far better to have a password that looks random (to a computer, at least), but means something to you so you can remember it without having to write it down. That’s easy to do: Simply come up with a meaningful phrase and then convert it to a string of characters. Here’s one: I drive 33 miles round-trip each day. (Notice I included numbers and a dash.) That could become id33mr-ted. Make some of the characters uppercase: iD3mR-TeD (I made every other character uppercase — easy to remember).


You can, and should, come up with your own pattern or algorithm for creating unguessable but easy to remember passwords.

The problem is the sheer number of passwords we all have; which phrase created the password for which login? It would appear as though we’re back to writing them down or using a password manager. Don’t worry, though. Here’s how to create secure passwords that you can safely write down; yes, write them down, give them to all your friends–even your enemies–and still be safe. Post them on your monitor at work. Leave them lying around on the bus or train. A simple trick based on cryptographic techniques will conceal your actual password in a form that almost anyone will mistake for the password itself.

Let’s say you found a piece of paper that had this written on it:

Work BDAbe%x#
Home 1941phx!n
email fon!%m

What would you think it was? Bet you’d think you’d found someone’s password list, eh? That’s exactly the deception we want: What those strings of characters really mean is known only to you. So, what DO they mean? Let’s take the first example; It’s a substitution cipher based on a date. This one uses two levels of secret "keys": 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use "BDAbe." This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.)[Note: even if someone guesses that it’s Abe’s birthday, they still have a long way to go to figure out how it was used – Ken]


Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the “something only you know,” with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern).

Pretty slick, eh? This should give you a clue as to what the second one is: 1941ph means (to me) 12/07/1941, the date of the attack on Pearl Harbor that led us into WWII. Based on the pattern, the actual password is 1@0&1(4!. Can you figure out what the last one might mean? (You won’t guess the actual password unless you know what I know about the first part, but you can figure out what the code hint is.) Post your comments and we’ll see how you do.

I don’t recommend you use these examples, for obvious reasons; you’ll want to come up with your own ways of doing things and your own hints using things that mean something only to you.

Posted in:
About the Author

Ken Harthun

Ken is our resident security expert with years of experience in the field. He can also carry a tune as an accomplished musician. Ken has written for many publications and presently is a contributor to IT Knowledge Exchange.

There are 7 comments

Comments are closed.