This One Thing Will Make Your iPhone and Mac Passwords More Secure

| How-To

You have probably seen suggestions on how to construct a more secure password. Here is a typical article of that kind. It has some decent suggestions related to password complexity, but it's also insufficient for this modern era. "Tips for creating a strong password."

Times are changing. Those bad guys who would break into your device now have advanced algorithms and so much computing power, they can easily outsmart your most devious passwords. Nevertheless, there is one thing you can do to ensure the quality of your chosen password—one you rely on.

The Holy Grail is Still Unreachable for Most

First, some technical background.

It's true that we'd all be better off getting away from passwords. There are still people, today, who use passwords like "123456" and "password." I've been reading articles for years about the panacea of using 3-factor authentication: 1 )Something you know, 2) Something you are (retina, fingerprint) and 3) Something you possess (a fob or chipped card). And yet, people are still creating passwords and using them daily. Most of them are woefully weak. 2-factor authentication is just now picking up steam, but not everyone uses it.

One thing we've been promoting for years here at TMO is a great app called 1Password from AgileBits software. 1Password allows you to log on with one password/phrase and then allow the app to create high quality, complex passwords of a very long length, something that you could never memorize. And they're kept in encrypted form on your computer or mobile device.

Again, that's another article, beyond the scope of what we're discussing here. So are any OS restrictions on how often a password can be tried. And so. In those cases when, for whatever reason, you have to create a password yourself, the challenge is to construct it so that it is very difficult for a computer to brute force guess.

Password Length

It turns out that there is one technique we as human beings still have at our disposal that can make a password extremely hard for a computer to guess. The article that describes this is "Password Security: Complexity vs. Length." It's from December, 2015, so the thinking there is still relevant.

In a nutshell, encryption experts refer to the entropy of a password. It's a measure of the password's disorder (complexity), that is, how difficult it is to hack. The formula for the entropy is:

log(C) / log(2) * L 

Where C is the size of the character set and L is the length of the password. Mathematically, the length (L) in this equation is more dominant than the complexity of the password. You're familiar with complexity: using upper and lower case letters and special characters in addition to numbers. As a result, if you want to do just one thing to make your password harder to guess, expand it from the typical 8 characters to 12 or more.

Substituting symbols no longer works. For example, changing "Son" to "S0n." It does nothing to increase the size of the character set, and modern hacking algorithms, I am told, take that substitution technique into account.

One way to create a longer password is to create a passphrase instead of a single word. For example, astronomers remember the spectral class of stars (O,B,A,F,G,K,M) with a mnemonic. So you could create a mnemonic- based passphrase "OhBeAFineGirlAndKissMe." That's 22 characters!

But there's one remaining problem. Modern supercomputer cracking algorithms have, in their databases, in addition to all the world's dictionaries, all the song lyrics ever written, all the popular mottos and slogans, book and movie titles, famous sayings and movie quotes. And so while a long password is great, you also want to steer away from whole, recognizable words contained in the passphrase.

The article I cited above ends with this advice. Passwords should be both long and complex.

Lengthy – Short length passwords are relatively easy to break, so the idea is to create lengthier ones for added security and to make them less predictable. So what is the desired or required length? A 2010 Georgia Tech Research Institute (GTRI) study told how a 12-character random password could satisfy a minimum length requirement to defeat code breaking and cracking software, said Joshua Davis, a research scientist at GTRI. Richard Boyd, a senior researcher at GTRI says, “Eight-character passwords are insufficient now ... and if you restrict your characters to only alphabetic letters, it can be cracked in minutes.” In any case, to be on the safe side, a password length of 12 characters or more should be adopted.

Strong and complex – Strong passwords are still key. Security experts agree that upper and lowercase alphanumerical characters are good practices for increasing passwords strength and making it capable of resisting guessing and brute-force attacks. In order to add complexity without compromising ease-of-use, users could modify passphrases by inserting spaces, punctuation and misspellings.

Eventually, we'll all get away from short, human readable passwords. Tools to suggest or auto-create long, complex passwords and store them in encrypted form are available. But this article is long enough, and so that discussion must await another day.

In the meantime, just remember: If you must to create a password on the fly for any purpose, make it long, at least 12 characters. More is better. That's the only tool you have left to give yourself a fighting chance against a hacker's supercomputer.

Popular TMO Stories



I wonder if mixing languages would help?


1Password is very good. After being dubious about having one vault holding all my keys, I finally decided that we needed something like that to manage and generate passwords.
Sorry but that’s way too rich for my blood. $49, oh more if you’re in Canada, for each system? If I got all the 1Passwords I need, 3 computers, (soon 4) 2 phones, and two iPads, I’d have nothing of value left to protect,.

Still searching. In the mean time I think we will start updating our passwords.


Sage advice John.  Thx for the reminder that while some of my PWs are fine there are others that could use some improvement.  Esp my various frequent flyer accounts!


Long password generation using methods like DiceWare still take some getting used to. I admit I still get a gut-level reaction disbelieving that a long semi-readable password is more protective than a short one filled with gobbledygook, even when my head (and people like John, and lots of others) insist that is really is so. Hopefully this reaction will diminish in time.

1Password 6.0 added a newer long password generator, so that software is certainly following the trend.

For those who wish the current ultimate in password generators, I recommend a visit to to make passwords that combine every piece of advice, length and complexity devised. It’s easy, free, open source, and even allows you to install the password maker on your own computer with a bit of geekery.


Oh, and Geoduck, a Single License direct from AgileBits allows up to 5 devices of each type. You’d only have to purchase one each for Mac OS and iOS, for $100 US total.


The issue is that hackers have what are called rainbow tables.  These are only useful if they can get a hold of the stored password hashes.  When they can do this, they have tables of all possible hashes up to 16 characters, regardless of complexity.  This is mostly a problem for individuals if they are using the site that the hackers have targeted.  If you are storing your passwords in something like 1password or keychain, you can use passwords or pass phrases of arbitrary length.

Unfortunately, there are sites that both restrict the length of the password and its complexity.


Misspelling is my favorite, I also use it for security questions.


I use the same randomly-generated 50 char letters/digits/symbols password generator for those security questions. The password and all those answers are stored in my password manager which I’m not likely to lose. (It has sufficient on- and off-site backups.)

There are some passwords that are really annoying to have in a password manager though. For example, my bank app on my phone wants me to type in the password every time. So I would have to open my password manager app, type that long password, search for the bank entry, copy the password from there, then switch back to the bank app and paste it in. That’s rather annoying. It is easier to just memorize the bank password, which means it is not a 50-char random one. So while password managers are helping, we have a ways to go before they are fully integrated into ordinary workflows.

Note that I do not trust Keychain, on OS X or iOS, to hold my most sensitive passwords for a few reasons. (1) It is Mac-only. (2) I have no guarantee that iCloud Keychain is encrypted such that Apple cannot easily read all my passwords (and give them to NSA), whereas stand-alone products are designed around providing that kind of encryption. (3) On iOS the keychain passwords are unlocked with my finger print, which is easier to steal than making me reveal a long password. (4) On OS X the keychain is unlocked with my login password, which is much shorter because there’s no way I’m going to type a looong password every time I sit down in front of my computer at a lock screen. (Yes I know I can make a separate keychain password, but then I have to unlock the keychain manually for OS X to get access to wifi passwords and such. I have not experimented with more complex management of having multiple keychains.)

I bring up Keychain because it is an example of a password manager that is integrated in with the OS and thus has the best chance of seamlessly fitting into my workflow. A third-party password manager does not work as conveniently.

If we follow the trend, in some number of years a 12 char password will be easy to crack, and eventually maybe a 50 char password will be as well. So we will have to use password managers to store 128 char or 1000 char passwords. But there will always be the one password that we have to remember, which means we need the password manager’s database to be stored securely enough that hackers do not get the chance to run rainbow table hacks against it.


Geoduck - I’m a cheapskate. But after wrestling with passwords I bought 1Password3 in 2012. I haven’t had to buy it again. I use it on 3 Macs. I just looked it up (in 1Password!) I paid $48.99 I also purchased 1Password for iOS. I believe it was $19.99. I use that on several iPhones and an iPad. As Hagen said, their license agreement is very liberal, so one license should do it. (I bought it on their store, not the Mac App store)

I store my vault on Dropbox (the small free amount of storage!) which means it gets backed up in Time Machine on all 3 Macs. I gotta say, I love it. the browser integration is great and even when it’s not, I can get to the data I want easily.

I also love that I add a password on the iPhone and it’s available on all the macs. I also store banking information, social security numbers, the works. Yes, if someone got my 1Password password, they would have eveything, but I hae a 13 character password that is a concatenation of gibberish and numbers that is very meaningful to me and that’s all I have to remember. (Doesn’t everyone have some funny nonsense in their familial argot?)

I know it’s a big commitment, but if you take the leap, you’ll find it’s really a game changer.


A technical note about rainbow tables: they pre-compute hashes of passwords to compare against a stolen passwords file/database, but this is easily defeated by salting the passwords. So only websites with bad security practices are vulnerable to that. For a salted password the table would be a dictionary of passwords then the hacker has to compute a salted hash of each password in the dictionary for each individual account being hacked. This can be done with a server farm or processing things in parallel on a GPU, so it matters what algorithm is used to store the password. A modern, secure hashing algorithm run enough iterations (you don’t just hash it once, you hash it like 1000 times and store that) can make this process take a very long time to crack a password.


I agree with webjprgm on Keychain. I do NOT use it to store sensitive passwords or credit card information for the same reasons he cites.

Once you’re logged in, it’s open and anyone can get to it.

But I do use it to store less sensitive passwords like ftp sites or shopping sites (where my credit card is NOT stored).


Thanks John for this informative article.

Geoduck: You can try 1password for free for 30 days. The license terms are here: Seems to me you will need one license and the IOS (or Android) app which is free. I don’t usually recommend apps but I have been using 1password since version 1 and it is unbelievable how it simplifies life.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account