A password is a series of characters required to log into an account. A password is created along with an account and username. Passwords consist of letters, numbers, symbols, and/or spaces. A good password is not easy to guess but not hard to remember. Passwords should not be told to other users. The Scratch website requires passwords to be at least 6 characters long. It is good to write down one's password on a physical piece of paper in a safe location in case the password is ever forgotten. Passwords are case sensitive.

Note Note: It is recommended to use a different password for each account, whether on Scratch or any website.
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.

– Clifford "Cliff" Stoll

Examples of Weak Passwords

Note Note: The following are not the only examples of weak passwords; in general, a password that is easily guessed or widely used is a weak password.
  • 'password1'
  • 'passw0rd'
  • '123456'
  • 'scratch'
  • '(your username)1234'
  • '(your username)'
  • 'qwerty'
  • 'abcdef'
  • 'ilike(object)1'
  • 'asdfghjkl'
  • '1234567890'
  • '(your name)'
  • '(the current year)'
  • 'scratch.mit.edu'
  • 'ilove(sitename)'
  • '(person's birthday)'
  • '111111'
  • '654321'
  • '(object) is awesome'
  • 'ilove(object)'
  • 'password'
  • 'wordpass'
  • 'password123'

Ways to Make a Strong Password

The xkcd comic demonstrating this section


A common misconception is that the way to make a strong password is by using common substitutions (such as @ for a, $ for s, etc.) and adding numbers/symbols at the end. However, this actually does not result in a significantly stronger password as those are all trivial for a computer to guess. They do result in a password that is much harder to remember, though.

Capitalizing it or not actually only multiplies the number of combinations by two. The number of possible substitutions (e.g. 5) only multiplies the number of combinations by 2n, so for 5 possible substitutions, that would only multiply the number of substitutions by 32. Finally, the number of symbols at the end multiples the number of combinations by approximately 30n (assuming 30 common numbers/symbols). This means that a password with five possible substitutions, possibly capitalized, and with two symbols at the end multiplies the number of combinations by 2x25x302=57,600. Putting that on top of an uncommon base word which has about 170,000 combinations (the number of words in the Oxford English Dictionary), results in 170,000*57,000=9.8x109 combinations. This would take approximately 110 days to guess at 1,000 guesses per second.

A Stronger Technique

A better technique to make a strong password is to use four or more common but random and unrelated English words strung together. (For example: "phoneticketdigitalscissors". Please do not use this as your password now that it has been used as an example here.) Although this at first may appear less secure, consider the math: there are about 3,000 words that account for 95% of usage in English. The number of combinations for n common words is 3,000n. This means that for 4 words, there are about 8.1x1013 combinations. At 1,000 guesses per second, that would take more than 2,000 years to guess. However, provided that the password is memorable, there shouldn't be too much interference if letters, numbers, symbols or different capital letters are added.

See Also