Everyone has a password for something; from bank accounts to websites almost everything in all walks of life has one. It's one of the most important things for you to both remember and to choose. In this article we take a look at what makes a password considering "strong" and contains tips on how to improve your choices of passwords.
Before you can easily identify what a "good" password is we should look at what a "bad" password is and why they are not good for security. An example of a bad password might be "book" which has several reasons for being considered bad:
- It is a word that can be found in the dictionary,
- It is a very short password,
- It contains only letters,
- More than one character is the same.
Two types of attack would "guess" that password in a relatively short space of time. The first of these is a dictionary attack - going through every word in the dictionary is something that is do-able, and whether it appears near the start of the dictionary or at the end it doesn't matter as it will eventually figure it out (it's just a matter of how long it takes). The other way it could be obtained is through brute force. Brute force is where every character combination is tried, so if we assume it's only trying characters but tried passwords of every length from 2 characters onwards we can easily calculate the most attempts that would be needed to crack the password. For each character there are 26 combinations, and for 2 letters we would multiply it so it'd be 26 * 26 attempts. So for a 4 letter password we would have 676 + 17576 + 456976, which calculates as being 475228 attempts. It might sound a lot, but if a piece of software was guessing the password then it wouldn't take long at all.
Increasing the complexity and length of the password makes a huge difference in how secure your password is. Using capital letters isn't a huge benefit on it's own as it'll still be vulnerable to dictionary attacks, but would increase the attempts on a 2-letter password to 2704. By then adding numbers into the fold we then have a possible of 62 characters for each character of the password and so a 2 letter password would suddenly take 3844 attempts instead of 676. Adding numbers also decreases the likelihood of a dictionary attack from working, but with passwords such as 3book90 there is still a possibility that a dictionary attack would work due to the English language word being in there, but surrounded by integers.
The trick is to use a word that is not in the dictionary and to mix in integers and possibly even symbols into what you use for a password. Using a brute force algorithm on passwords with symbols only appearing on the keyboard would increase to around 96 different characters depending on your keyboard layout. With 96 different characters to choose from a brute force attack would require a maximum of 9216 attacks to correctly guess your password. When we start to increase the length of your password this increases dramatically. Consider the following table:
| Password Length | Lower case |
Any Letters | Alphanumeric | Any char |
|---|---|---|---|---|
| 2 |
676 | 2,704 | 3,844 | 9,216 |
| 3 |
17,576 | 140,608 | 238,328 | 884,736 |
| 4 |
456,976 |
7,311,616 | 14,776,336 | 84,934,656 |
| 5 |
11,881,376 | 380,204,032 |
916,132,832 | 8,153,726,976 |
| 6 |
308,915,776 | 19,770,609,664 | 56,800,235,584 | 782,757,789,696 |
| 7 |
8,031,810,176 | 1,028,071,702,528 | 3,521,614,606,208 | 75,144,747,810,816 |
| 8 |
208,827,064,576 | 53,459,728,531,456 | 218,340,105,584,896 |
7,213,895,789,838,336 |
This can represented mathematically as x^y where x is the number of characters available, and y is the length of the password. As y is used to increase the power x it signifies that the length of the password holds greater importance than the number of different types of character that could be used in an algorithm. As proof let us consider the following example. We have our "base" measure of 26 * 26 to signify 2 characters each with the possibility of 26 characters (lower case only). If we increase the number of characters in the password by one we get 26 * 26 * 26, but if increase the number of available characters by one instead we have 27 * 27. From the table above we know a 3 character password in lower-case is 17,576 attempts, and 27 * 27 comes to 729 and hence proves the fact that password length matters more.
Saying that an 8 character password in lower-case will take 208,827,064,576 attempts though is not strictly true - if the 8 characters formed a word from the dictionary or a word in common usage then it is likely that the word could be calculated in a significantly fewer number of attempts. For example the English language contains approximately 1,000,000 words including scientific words - on top of this we can also include names and words from popular culture and it will still be an awful lot less than the attempts it would take to brute force that password. Hence the reason why it is equally important to also include a range of other characters such as numbers and symbols in your password.
Based upon this reasoning a password such as 90ge0$tationarY100 would be a very strong password. Such passwords don't have to be hard to remember either - if you use memorable numbers either side and then think of one or more words with some letters replaced by numbers and/or symbols you will have a memorable password that is also secure due to a high number of possible characters, it being long, and not being in a dictionary. Using this example which is 18 characters in length would mean a stunning 4.76 x 10^35 (using standard notation) attempts.
If the system was to block the user after 5 failed attempts for a period of 2 hours then the likelihood of such a password being guessed is impractical. Under such a system it would only manage 60 combinations per day, 420 per week, and 21840 per year. For this password it would then take approximately 2.2 trillion trillion years at most to be cracked. Such a thing is just not feasible - it is more likely they would find a security hole in the system and gain access that way.
