How to choose a Secure Password in the Real World

Versione italiana

You can find a lot of advices about how to choose your passwords, around the internet. But most of them seem to me bad advices.

First, let’s define what we want. We want to have:

  • Secure passwords;
  • Passwords that we can remember.

The most common advice you will find is: «Always use mixed-case letters AND numbers AND underscores in your passwords». Not a bad advice, but this just improves a bit your passwords. If they are insecure, they will be insecure even if you add numbers. Example: Ab12 is too short. ilikemarypoppins is much more secure. blacksabbathisthebestheavymetalbandintheworld is even better. And I’m sure that you will never forget it.

Then, we can apply the other advice. BlackSabbath_isthebestheavymetalbandintheworld01 is more secure. It’s also impossible to guess for a human.

But we have a problem: humans are hardly able to remember more than 1 password of this kind. And the other advice we find everywhere is: «Use a separate password for each service you are subscribed to». Which is an important advice… really! A lot of small sites collect users password, a lot of social network apps try to guess them. But human memory is not perfect. And you need to remember all of your passwords. How can we do it?

Keep only one base password. And use the name of the service to modify your base password. You have to decide your rule. You can’t use mine – this wouldn’t be secure for me and for you. But it’s easy. Some possible rules:

  • Add the first two letters at the beginning of your password, and the last letter at the end.
  • Add the first letter at the beginning of your password, and the two last letters at the end.
  • Add the last letter at the beginning of your password, and the last one at the end.

For example, let’s apply the first fule:

  • Base password: BlackSabbath_isthebestheavymetalbandintheworld01
  • Service name: Facebook
  • Specific password: faBlackSabbath_isthebestheavymetalbandintheworld01k

Too difficult? Ok, you can drop the ’01’ part. And even the underscore. All the geeks that will try to explain you how unsafe your password is, have a password that is much less secure than yours.


See this strip by XKCD!


MariaDB Mode for CodeMirror

I needed a SQL editor written in JavaScript for a tool I use to rapidly modify my databases. I found CodeMirror. It works great, and it’s used by a number of important projects. The code is released with a MIT license (I would prefer AGPL3, but it’s ok).

CodeMirror supports many languages, and language scripts are called Modes. I tried the MySQL mode but… well, to be honest, I didn’t like it. Maybe I am not lucky, but the first statements I wrote (DELIMITER and TRUNCATE) were not highlighted. Also, floating point numbers were not highlighted.

So, I wrote a new mode and put it on GitHub: MariaDB:

First, I re-worked the code. Now it’s in Strict Mode, and it uses types more strictly. Then, I fixed a couple of minor bugs in MySQL mode: ‘–‘ comments did not require a space, and backticks could be escaped in identifiers with a ‘\’.

Then, I added something:
* a lot of new keywords from MySQL and MariaDB;
* float numbers (including esponents)
* variables (all syntaxes);
* bin and hex (all syntaxes);
* all types of comments;
* ‘?’ (for prepared statements).

Limitations? Well, it does not support automatic indentation, and many other features that maybe should be supported. However, I just wrote this mode to improve a tool I use. I may improve it if there is interest around it, but I will not work on it if I’m not sure it makes sense.

If you use MariaDB Mode and you have some comments/requests, let me know. If you improve it, please do a Pull Request on GitHub repo.