Let’s talk about what makes a password strong. When we think of strong passwords we think of crazy examples like the famous Star Trek password Data used.
“One, seven, three, four, six, seven, three, two, one, four, seven, six, Charlie, three, two, seven, eight, nine, seven, seven, seven, six, four, three, Tango, seven, three, two, Victor, seven, three, one, one, seven, eight, eight, eight, seven, three, two, four, seven, six, seven, eight, nine, seven, six, four, three, seven, six. Lock.”
But the truth is you do not need a crazy password like this for it to be strong. Something easy to remember like 2 words and a number will stop most attacks. How can I be so sure? Well I have talked to a cybersecurity friend and done some simple password cracking to see what it is all about.
How password hacking works
To understand how to make a strong password you first must know how people crack passwords. First, you don’t just connect to a website and start cracking. That would be very difficult if not impossible. In most cases, someone has inside knowledge or uses an exploit to download a database of user accounts.
But that is only the first step. Any good database will have the passwords hashed with a random salt. Meaning they are encoded or encrypted in such a way where they cannot be reversed back into the password. This works because when you put your password into a login page a random value is added to it called a salt. Then the whole thing is hashed with a one-way function. Then that hash is compared to the stored password with the same random salt and hash. If they match, then you can log in. In this way the plain text password is never stored.
So a list of password hashes is kind of useless because you can not use them to log in. This is were password cracking comes in.
How password are cracked
The 2 main types of password cracking are dictionary attacks and brute force attacks.
Dictionary attacks are used most often and they work by adding the salt and hashing a list from a dictionary and or a common password list. If your password happens to be on that list then when they hash it they will find a match and know what your password is.
The cracking software I have seen before would try with and without a capital letter in the front. Then it would add numbers to the back.
So it would try some sequence like this.
So if your password was something like “Apple34” it would end up being found out. So I would suggest not doing what fits into the common pattern of a capital in the front and a number in the back. Something like “apP34le” or even “34apPle” would be a very strong password and next to impossible to crack with a dictionary attack.
Brute Force Attacks
A brute force attack simply tries every possible combination until it finds the password. No password is safe from this attack forever. But it is not used very often because it takes so long to crack a password. Most likely in the time it takes to crack, the password would have changed.
Your best defence against this attack is the length of the password and changing your password ones in a while. Having a password of at least 8 characters long could take today’s computers years to crack. But keep in mind computers get faster every year. So going for more characters would always be better.
Here is a fun little brute-force attack calculator that gives you an idea of the time it would take.
How to make strong passwords
Now that you have a basic understanding of how password cracking works you should be able to make a strong password without any problem. One of my favorite methods I like to use is to have a simple sentence as a password. Something like:
I just came up with that off the top of my head but you can see how easy it would be to remember. A strong password is useless if you can’t remember it and have it wrote down on a sticky pad beside your computer.
Some bad people do not even try to crack passwords. That is to much trouble. They have better luck with phishing. If they can make a fake login page and trick you into signing in from an e-mail link for example then they have your password and did not have to do any hard work to get it.
2-factor authentication can help protect against phishing but there is no real technical solution. You simply have to be alert and aware when you are going to type in your password. Make sure the URL in the address bar is right, don’t respond to a random request for you to log in, stuff like that.
Also please take 5 minutes to report phishing if you see it. You could save others lots of time and money and make the internet a safer place.
If you are not creative or just want some password suggestions then I wrote a password generator that I use at work for new active directory accounts. It is simple but it will run in Windows 10 without having to install anything.
Zack’s Secure Password Generator
One thing a lot of people suggest is not using the same password for everything. This way if your password did happen to get cracked or phished then the bad guys do not automatically have access to everything. But it can be hard to remember a lot of password so I personally like KeePass. It is open source and not bloated with a bunch of useless stuff. But you have to make sure you make your own backups with KeePass or you could lose all your passwords.
Knowledge is power
Knowledge is your best weapon and defense against hacking. There is a constant arms race between people trying to hack and people trying to keep your data safe. But the biggest weak point will always be you. There is no strong password, fix, or patch that can fix gaps in your knowledge. Bad people use social engineering all the time to get info they want. So stay informed and alert!