Passwords. We use them in so many areas of our lives and we all hate them. Passwords for our banking sites, for social media, our phones, and our computers. Passwords are everywhere and yet we are still getting hacked. Why is that? Because the password itself is only a protection if it is secure. But secure passwords are hard to remember and more importantly, inconvenient. Humans don’t like to be inconvenienced so we tend to choose passwords that we can quickly use. That is where the problem comes in.
So then what is a secure password? We will explain that in detail and how to make using passwords painless for you.
But first, a little background
Most sites store passwords in encrypted form. Sometimes they are, but this considered REALLY bad security. Most sites encrypt the passwords in such a way that they can’t be encrypted. This is called a hash. What happens is that when you log onto the site, they encrypt the password that you entered and then compare it to that hash. If that encrypted text matches, then you are given access to the site.
When hackers break into websites, they steal the database of these email addresses and password hashes. They then begin to crack them. The ones they are successful in cracking are posted online in various forms. This was seen when LinkedIn was hacked. 167 million user accounts with passwords was stolen. The password files were available online shortly thereafter. Hackers and security researchers alike all began to crack them. 98% were recovered without much work. The remaining were considered secure and resistant to hacking. You can see an explanation of those recovered passwords here.
Whenever a site is hacked, these hashes will either be offered up for sale or posted online. After that, its just a matter of time before they are cracked.
How are passwords cracked?
Before we discuss how to make a secure password, its best to explain just how passwords are cracked.Passwords are cracked in three general methods. These are:
- Dictionary attack
- Brute forcing
- Hash matching
Dictionary Attack – This is where an attacker tries to guess a password from a generated list of passwords. These dictionary files can be found all over the Internet. Each time a new hack is announced, hackers take all of the passwords found from those accounts and add them to these dictionaries. Some of these may have billions of passwords in them. Once a password ends up in a dictionary, it is never safe again. Hackers are constantly updating these and sharing these files.
You can see a site here that has dictionary files available for download.
Brute Force Attack – A brute force attack is the most time consuming. It involves guessing a password over and over until you crack it. It would look something like this –
It would keep going until it exhausts every possible combination of characters for a given password length. This is resource and time intensive. That is why dictionary attacks are preferred.
Hash Matching Attack – Using the above method of brute forcing, attackers can generate a word list and then hash them. These are called Rainbow Tables. A rainbow Table will have a list of password hashes for all possible combinations of character to a given password length. The attacker would take their list of stolen password hashes and compare them to this table. Its similar to brute force but a lot quicker.
What is a secure password?
Now that we understand how passwords are cracked, we can explain how to secure them. A secure password is one that is resistant to being cracked by the methods we discussed above. Having a secure password means understanding the elements that make up that security. There are three elements that control how secure a password is.
- Password length
- Password complexity
- Password randomness
Password length is the number of character that the password contains. This is seen when you are required to make passwords that a certain length, such as more than 8 digits.
Password complexity is what type of characters are used in the password. These can be a letter, both lower and upper case, numbers, and punctuation like !@#$%^&*(). There are 26 upper letters, 26 lower letters, 10 numbers, and around 30 usable keyboard punctuation characters. This gives us 92 possible characters to use in our passwords.
Password randomness is how unique your password is. Can the password be found in a language dictionary? Don’t think that if you use a word in a different language that this will protect you. Hackers have already incorporated foreign languages in their dictionaries. Is your password based on a word? Did you just change some letters to numbers? This also isn’t secure because password cracking software can take that into account. It can change all E letters to 3, L to 1, etc.
Here is the math behind a secure password.
There are 92 possible characters. For each digit we add, the number of passwords goes up exponentially.
2 digit password = 92 x 92 (92^2) = 8,464
3 digit password = 92 x 92 x 92 (92^3) = 778,688
5 digit password = 92 x 92 x 92 x 92 x 92 (92^5) = 6,590,815,232
7 digit password = 92 x 92 x 92 x 92 x 92 x 92 x 92 (92^7) = 55,784,660,123,648
You can see how just adding an additional digit greatly increases the number of possible passwords. But that is also because we are using all available letters, numbers, and characters.
Password cracking software can crack hundreds of thousands to millions, and sometimes, billions, of passwords per second. In the 7 digit example above, a password cracker that could crack 1 million passwords per second would take 106 years to attempt all possible passwords. This can be decreased by using more powerful hardware but a truly random password that is longer is very secure.
A truly secure password would be completely random and at least 12 characters in length. Something like this – $8f9Fus8@ca
This password would be immune to cracking for the foreseeable password. But please, don’t use that one. That is just an example password.
Use both upper and lower letters, numbers, punctuation, and then make the password 12 or more characters. Don’t use words or derivatives of words.
But wait… I can’t remember that!
A truly secure password is difficult to remember. That is where a password manager comes in. A password manager can generate a strong and secure password for you and then store it. It allows you to create unique passwords for all of the sites you visit. The password manager stores all of these in one location and then you only need to remember the password to access your manager. Password managers will integrate with your computers, browsers, and mobile devices so you can use them anywhere. As long as the password you use to secure your password manager is strong, then you are safe.
The password manager I recommend is LastPass. It is free and will work on just about any device or computer you need. It can generate completely random passwords for you and store them securely. When you visit a site, LastPass will automatically insert your username and password so you can log in.
You can get more information on LastPass here.
Secure passwords will protect your data online. Because of that, it is critical to choose a strong password. I have shown how attackers crack passwords and how it works. The three keys to remember are:
- Password length
- Password complexity
- Password randomness
Use all possible letters, numbers, and punctuation. Make the password random and at least 12 characters long. If you follow these, you will have secure and uncrackable passwords. If you would like an easier way, just use LastPass to generate and store your passwords.