We are frequently asked to create passwords for the numerous things we interact with: our laptops, our smartphones, our tablets, and the many websites and services we use on these devices, including banking websites, email apps, social media websites, and virtually any other account we create on any other website or app.
The problem is, we seldom think about how to create a good password, and often don’t even know what a strong password is. And since we know we can’t remember a unique password for every account we create, we tend to reuse the same password for all websites, which means that if one of them is compromised, all our accounts are compromised.
We will discuss in this article the importance of passwords, shedding a light on how we can create strong passwords that throw a wrench in hackers’ cracking attempts.
A good point to start from is knowing what a strong password looks like. Many websites have some guidelines in place and a meter that measures that strength of the password you create. These guidelines, however, may not be actual best practices or they could become obsolete as hackers evolve their methods with time. Also, not all website have the guidelines, leaving each user to create the password based on their own judgment.
Security experts tell us that there are several guidelines that offer safety.
The rules of mathematics tell us that the possible options for any password equal the number of possible characters power the number of possible slots (password length). A typical password will allow upper and lower case letters and numbers (totaling 62) plus or minus the special characters (32 not counting “space”, totaling 94).
Here are the possibilities based on the number of characters (including specials, without which the figures will be a bit lower), as well as the time hackers will take to crack it using a technique called a Brute Force Attack
|Number of characters||Possibilities (approximately)||Time to brute force (@ 350 billion/s)|
|4||78 million (7.8 X 107)||About 0.2 milliseconds!|
|6||690 billion (6.9 X 1011)||A little less than 2 seconds|
|8||6 quadrillion (6 X 1015)||4.8 hours|
|10||54 quintillion (5.4 X 1019)||4.9 YEARS! (now we’re talkin’)|
|12||476 sextillion (4.76 X 1023)||43,000 years|
These numbers are based on a specific rig set up in 2012 that used 25 GPUs and could attempt 350 billion possibilities per second. Actual speeds may be much lower based on each hacker’s hardware, but it never hurts to be a few steps ahead. Dictionary attacks and common password trends could make the time taken a bit lower as well.
Bottom line: Password length is an important factor in your security. Make sure your passwords are more than 12 characters. Go for 15 or even 20 for maximum protection.
If your password is only numbers, then each character has only 10 possibilities. This makes the base (the number on the bottom) significantly smaller; even if it is to the power of 10, that only gives you 10 billion possibilities, crackable in under 2 seconds. The same password length using lower and upper case letters, numbers, and symbols gives you the 54 quintillion possibilities shown above, which is infinitely harder to crack.
It should also be obvious that you should not use a single word as your password. As outlined in the now famous XKCD comic and by even-more-famous NSA whistleblower, Edward Snowden, a “passphrase” made up of multiple words strung together makes it difficult to apply a brute force or dictionary attack.
Another technique based on the passphrase idea is to take a sentence, and then apply a rule to it. This is called the Bruce Shneier method. An example would be to take a memorable phrase, such as “Feed the birds, tuppence a bag” and you take the first letter of every word, followed by the second letters, giving you “FTBTABehiua”. It looks like absolute gibberish, but it’s memorable, it’s long, and it’s not a dictionary word. You can play around with capital letters and symbols to make it even more complex.
Personal information in a password may be a good way to remember it, but it’s vulnerable. Someone who knows you or know that information about you could figure it out. What’s even scarier, is that there are bucket loads of personal information sprinkled here and there on different platforms and social media. Your pet’s name, your birthday, your city of birth… all of these can be gleaned by hackers from information you, yourself, have made public on these outlets.
As hackers became privy to password databases, they discovered trends in how people create their passwords. Practices that might seem like a good idea are probably the worst thing you could do, because everyone has been doing them, and hackers now know and screen for them. These include:
Besides the actual creation of the passwords, other behaviors can help keep us safe.
Since hackers are using powerful computers to try and obtain your passwords, you might do well to enlist those computers to create and protect your passwords. A password manager is an application that creates long, unique randomly generated, extremely difficult to crack (and highly unmemorable) passwords for different services you use , and enters them into the service for you. They keep all your passwords locked away, accessible through a master password, which you will create using all the guidelines above.
They’re not, however, a magic solution. Hackers know about them, which makes them targets, albeit powerful ones. So it’s a trade-off: you can put all your treasures in a fortress, but everyone knows where it is, as opposed to hiding them in an unmarked tract of land, the signs to which only you know.
We must all be wary of our passwords and learn how to create good ones, lest we find ourselves between a rock and a hard place, and then it’ll be too late.