Instituto Superior Técnico

Serviços de Informática

How to create a quality or robust password that is hard to guess?

A quality password (i.e. robust and difficult to guess or discover by attacks) must meet the following requirements:

  • Be at least 8 characters long, an acceptable minimum for the length of a password. The longer it is, the more resistant it becomes to brute force attacks, where all possible combinations of characters are tested;
  • use at least three variants of characters, which can be: uppercase, lowercase, digits, punctuation. By diversifying the type of characters used, it makes the password more robust to brute force attacks: more types of characters, the longer it takes to test all possible combinations of them. It also makes dictionary attacks difficult as it makes the presence of the password in a dictionary used by an attacker unlikely;
  • do not reuse an old password. Passwords must be changed regularly to avoid prolonged use and greater susceptibility to detection by third parties.
  • the password cannot be very simple or based on a dictionary word: simple passwords are more susceptible to abuse. For example, passwords based on common words or on trivial combinations with these words such as sonia1980, Benfica123, 30junho1980, 1q2w3e or qwerty123, should not be used.

When the system reports that the password is of poor quality, it means that it does not meet the requirements defined for the creation of passwords.

The concern with the quality of the password may seem excessive, however the choice of a good password should be part of an “education in the digital age”. More and more we use passwords to access the most varied services, whether electronic banking, online purchases and sales, email consultation, ATM and mobile PINs, etc.

Choosing a good password has to start being an act of responsibility for the protection of our data.