The 10 Dumbest Mistakes Network Managers Make

If that doesn't work, and if someone has the time and motivation, the next step would be a brute-force attack. In this type of attack, a computer program tries every possible combination of characters until the password is found, although current technology puts practical limits on the extent of such attacks.

When you create a new password, the trick is to come up with something that a dictionary attack could never discover, and to make the password long enough and complex enough that even a brute-force attack couldn't succeed because it would require too much time and processing power. Here's how:

Make them long

Passwords become exponentially harder to crack with each character you add, so longer passwords are much better than shorter ones. A brute-force attack can easily defeat a password with seven or fewer characters. Your mandatory minimum should be eight characters. Even then, you need to make those eight characters count: a randomly generated eight-character password using letters, numbers, and symbols (for example, h7%R9#jA) is vastly more secure than an ordinary eight-letter word such as licenses. You'll get the best protection from a random password of at least 11 characters or a non-random password of at least 17 characters (make sure that the password is not discoverable in any dictionary).

Start with a sentence

True mathematical randomness is hard to come by, but for a run-of-the-mill password, what counts is that a computer couldn't discern obvious or personal patterns in it. One common way to create a random password is to turn a sentence that you can easily remember into a password by using the first letter of each word, perhaps substituting some numbers as appropriate. The string ZTwt12potUS, as it follows no apparent pattern, might be a good choice. But it's still quite memorable because I derived it from the sentence "Zachary Taylor was the twelfth president of the United States."