Picking a password is easy, right? Just pick a common word or phrase, like “password” or “iloveyou”, and you are sure to never forget it! Wait, that might be too easy. Okay, how about your anniversary, then? If you cannot remember that one, you have bigger problems!
Unfortunately, many people still hold onto these ideas, and it is one of the first lessons taught in Hacking 101. The Oxford English Dictionary contains 171,476 words, and a modern computer can check each of them against your password in under a second. So can you just change a character or two in the word and make it better, like “p@ssw0rd”? Nope! Hackers know people do this also, so they have already added every variation you can think of to their dictionaries. Then, they enrich it with common phrases people like to use, like “iloveyou”. This method of password cracking is so popular it has its own name: the dictionary attack.
People also like to use personal pieces of information as passwords; anniversaries, names, favorite teams, etc. But this information is not as private as you might think. You share most of it freely on your Facebook page, and the rest can be found through phishing. Even if you do not personally use social media, there is a good chance your spouse, parents, children, coworkers, and friends do. And you can be sure that at least one of them posted about having a great time at your 20th anniversary party last year!
Okay, so you know all about bad passwords, now. Let’s discuss what makes a password good. It can be boiled down to this:
A good password is not worth the effort it would take to crack it.
Hackers have varying goals, whether it is profit, fame, politics, or something else. But, like everyone, they have limited time and resources. The perceived value of the target determines how much time they are willing to spend hacking it. If cracking your password might take hundreds of years, they will find another target.
Once you have a password not in a dictionary, the only way to crack it is with brute-force. This method involves trying every combination of possible characters until a match is found. This may seem impossible, but desktop computers can test millions (or even billions) of potential passwords per second! A password like “password” can be cracked in a few hours using brute-force alone. Imagine what a botnet of thousands of computers can do!
So, your job is to create a password that is not in a dictionary and cannot be quickly brute-forced. To do this you need to consider three important components:
Length – The longer a password is, the better. An 8 character password of only lowercase letters takes hours to crack, 9 – days, 10 – months, 11 – years, 12 – centuries.
Complexity – If you go beyond lowercase letters and include uppercase letters, numbers and special characters (e.g. !, @, #, $), the total time to crack the password goes up significantly. A 12 character password utilizing all 4 types takes almost 9 million years to crack.
After reading all this, are you wondering how on earth you will create a password that is 12 characters long; contains uppercase, lowercase, numbers, and special characters; change it every 90 days; and still remember it?
You are not alone! Security experts are well aware of this problem, and have recommendations to help. There are many methods out there, but we will only present two of the most popular in this article.