What makes a password good?

Passwords vary in how easy they are to guess.  The best guesswork is done by computers these days, which can try many thousands of character combinations per second, and guessing algorithms often start with the combinations that people are most likely to choose.  To guard against guessing, Shieldpay limits the number of tries within a given time, but we cannot fully eliminate the potential for guessing without also making login more difficult for you.

The best protection against guessing is to choose a password which is:

• Nonsensical: If you choose only from words in a dictionary, then you limit the range of possibilities to a small subset of the total combinations available, making your password an easy guess for a program that can try the entire contents of a dictionary in a few minutes.
• Non-phonetic: You also limit the range of possibilities if you make your password pronounceable.  A good password will be a random combination that makes full use of the entire character set.
• From a large character set: Include all the different sorts of characters on your keyboard rather than just one or two sorts.  The larger the range of characters, the larger the number of possible passwords and the harder your password will be to guess.
• Long: The number of possible combinations increases exponentially with each character you add to your password, although the difficulty of remembering and entering your password also increases with length.  A password of 10 random characters is probably not too bad, but if the sequence of characters is not completely random, then a longer one is advisable.
• New: Re-using passwords or parts of passwords undermines the benefit of changing your password.  If you use the same password for different services, one cracked password will allow access to all the different services.  You can address the challenge of remembering passwords better through software (see below) than by taking the risk of weak passwords.

Long, nonsensical, non-phonetic passwords tend to be difficult to remember.  If you are not good at memorising, it is better to write down your password than to forget it, but then you must secure the place where you keep the writing.  Instead of a physical place (where you may not always be when you use Shieldpay), software products are available for securing passwords.  You can find those products by searching the internet for “password security software” or the like.  Choose the product carefully because you will be entrusting your passwords to it.

Your browser can probably also remember your passwords for you, but controlling access to your browser and the passwords in it is likely to be more difficult than controlling access to specialised password security software.  Your browser is accessible to the websites you visit and to others who use your computer, but more specialised software can be less externally visible and accessible.  Specialised software will require you to identify yourself to it (such as by logging in or providing a physical token), but a browser often does not, leaving passwords stored in a browser exposed to later unidentified users.