Password should contain letters in different cases. How do I come up with one?


When users create accounts on websites, they're often asked to create a password that contains letters in different cases (i.e., not just uppercase or lowercase). Why is that? What should a password look like that meets modern security requirements, and how can you create one? We'll answer all those questions here.

Why does a password need letters in different cases?

Software and even entire operating systems treat letters differently. In Windows, for example, you can't save files (or other folders) with the same name in a folder, regardless of how they're written. In other words, it doesn't matter if they're written in only uppercase or lowercase letters or a combination of them in any alphabet. To give you an idea of that, you can't create a file named document.doc or DOCUMENT.DOC in the same place as a file titled Document.doc. Windows considers these file names to be the same. On the other hand, Linux and operating systems built on it (like Ubuntu) allow you to place files/folders with the same names in the same folder if they have letters in different cases. That means that Linux views the files document.doc and DOCUMENT.DOC as completely different.

It's about the same for passwords. Each character in a password has its own unique code. That code is different for an uppercase 'A' and a lowercase 'a'. This makes passwords or passphrases twice as resistant or more to hacks, such as brute-force or dictionary attacks.

For reference, a brute-force attack involves submitting many passwords containing all possible characters that can be used to create a password. If a password-protected web system (file, program, website, etc.) perceives uppercase and lowercase letters in the same way, the list of possible characters for a brute-force attack would be reduced by 26 units (when using English letters in the password). That may not seem like a lot, but if a password has 10 characters, these 26 uppercase letters create additional spellings for it. The more possible options there are, the harder it'll be to crack the password.

What's the most secure password?

Based on what we discussed above, a password that contains both uppercase and lowercase letters is clearly several times more secure than a password consisting of only uppercase letters or only lowercase letters. However, having both types of cases doesn't necessarily mean a password meets cybersecurity requirements. A password should also contain:

  • At least 8 characters (12-14 are even better)
  • Numbers and, if the registration form allows it, special characters. These include parentheses, mathematical symbols, punctuation marks, letters from other alphabets (including character-based ones), etc.

There are other password security requirements, but the ones we listed above are absolute "musts".

How do I create a strong password?

You can create a password with uppercase and lowercase letters manually (here are detailed instructions) or by using dedicated software, such as strong password generators, which are computer utility programs or scripts available on various websites. When coming up with a strong password on your own, you can use this simple method:

  • Write several words in a foreign language using the English keyboard layout. For example, you can write "eto moy parol" ("this is my password").
  • You can capitalize some letters to end up with something like this: "eTO moY PaRol".
  • Now, replace the spaces (and at the beginning and/or end of the password) with numbers. Two- or three-digit numbers are even better, or you can insert a date. For example: "eTO18moY12PaRol1989".
  • If the system where you're creating an account allows special characters to be used, try throwing some in: "%eTO18$moY12$PaRol1989%".

We've ended up with a pretty long password, 23 characters in total. If the system doesn't allow you to use such long passwords, just delete a few characters.

It's a lot easier to create secure passwords with password generators. You can also use the MultiPassword password manager that features a built-in strong password generator.