Picking a password is easy, right? Just pick a common word or phrase, like “password” or “iloveyou”, and you are sure to never forget it! Wait, that might be too easy. Okay, how about your anniversary, then? If you cannot remember that one, you have bigger problems!
Unfortunately, many people still hold onto these ideas, and it is one of the first lessons taught in Hacking 101. The Oxford English Dictionary contains 171,476 words, and a modern computer can check each of them against your password in under a second. So can you just change a character or two in the word and make it better, like “p@ssw0rd”? Nope! Hackers know people do this also, so they have already added every variation you can think of to their dictionaries. Then, they enrich it with common phrases people like to use, like “iloveyou”. This method of password cracking is so popular it has its own name: the dictionary attack.
People also like to use personal pieces of information as passwords; anniversaries, names, favorite teams, etc. But this information is not as private as you might think. You share most of it freely on your Facebook page, and the rest can be found through phishing. Even if you do not personally use social media, there is a good chance your spouse, parents, children, coworkers, and friends do. And you can be sure that at least one of them posted about having a great time at your 20th anniversary party last year!
Okay, so you know all about bad passwords, now. Let’s discuss what makes a password good. It can be boiled down to this:
A good password is not worth the effort it would take to crack it.
Hackers have varying goals, whether it is profit, fame, politics, or something else. But, like everyone, they have limited time and resources. The perceived value of the target determines how much time they are willing to spend hacking it. If cracking your password might take hundreds of years, they will find another target.
Once you have a password not in a dictionary, the only way to crack it is with brute-force. This method involves trying every combination of possible characters until a match is found. This may seem imposs