Every week, you hear about another hack or Internet scam. Often, hackers have been able to force a user password. This article will help you understand what a strong password is, and what it means. You will then be able to pick a strong password that is easy to remember for you, but hard for others (or machines) to guess.

How to create a strong password?

Length, Length, Length

If you’re not in the mood for reading the whole article, I want you to take two things away:

1. Long passwords/passphrases are great

2. Avoid well-known passwords/passphrases

We’ll get into the details later, but one of the most popular types of attack is called “brute force attacks”, which means that attackers start with a list of common passwords, or all possible combinations of passwords. The longer your password/passphrase is, and the more time it will take attackers to crack it.

Consider the examples below. Using the ZXCVBN password strength estimator, we get an estimate of how long it would take to crack passwords of various length:

  • 9agcZ: 16 mn
  • 9agcZE: 5 hrs (~18X previous)
  • 9agcZEM : 3 days (~14X previous)
  • 9agcZEM7 : 4 months (~40X previous)
  • 9agcZEM7H : 26 years (~78X previous)
  • 9agcZEM7Hq : “centuries”

As you can see, simply adding one character makes it much more difficult to guess a password. Hackers will not be able to justify the cost of cracking strong passwords and will move onto a better target. Yes, hacker have return-on-investment objectives too.

A Password like the one above is not easy to remember, so there’s a better way…

Create something easy to remember, but hard to guess

In practical terms, the easiest way to pick a long passphrase that is very hard to guess, but easy to remember is to opt for a phrase that makes sense to YOU and no-one else. For example, what about this one?

“on February 11 2011, I was walking with my dog Jimmy at 11 am near the lake!”

I made this slightly overkill to make a point, but it would be fairly easy for someone to remember a personal phrase like this because it makes sense to them. It would be extremely hard for a machine to guess by simply trying all possible combinations.

With today’s computer technology, it could take “centuries” to crack something like this. (Note that it’s fine to use spaces, commas, numbers and special characters).

That said, DO NOT go for well-known quotes/citations/phrases because they may easily be added into a database and used by machines. For example, if your password is “may the force be with you”, it may seem like a good idea, but it’s likely that this famous phrase would be found in a quotes database and used as a shortcut to crack your password.

Do not create something hard to remember, but easy to guess!

A common misperception that many people have is that if it’s hard for them to remember, it must be hard for someone else to guess. That’s not always true, especially if your adversary is a computer that can easily break simple ciphers that humans often use, such as replacing ‘L’ with ‘1’ and ‘o’ with ‘0’. “P4ssw0rd”, really? I love this XKCD drawing that pretty much nails it:

google-visual-clue-1

Managing hundreds of passwords isn’t hard, with the proper tools

It’s also important to recognize that it’s impossible to remember dozens, if not hundreds (I have a ~150 online accounts) of “strong” passwords. The strategy would then be to create a very strong master password that unlocks a password manager such as Lastpass or 1Password.

You can add security to that manager by using a 2-factor authentication system, and you can even set things up, so a second person has access to your passwords in the event of your death or incapacity.

Using a password manager, you can generate random passwords such as 9agcZEM7HqLcXX29ldQI which are rather hard to guess but are also hard to remember.

Since passwords are securely stored in the password manager, you don’t have to remember them, and if it comes down to it, you could reset the password with the usual processes that are email-based.

Password managers are a critical component of online security. They will not only offer the option to use strong unique passwords but are designed to be (more) easily secured with a single master password, strong encryption and 2-factor authentication.

They will make your life much better, and a lot more secure at the same time. Reusing the same password in many places is understandable, but is a very bad security practice because, at some point, one of them may be cracked, potentially from the inside.

What is a weak password?

A weak password is one that can be easily guessed by an attacker/hacker, whether that is a person, or a computer (or a whole network of computers).

There are common attack vectors, ranging from brute-force guessing to social-engineering, here are the common ones:

  • Brute-force attack: try all possible combination of characters (including numbers and punctuation) to form words
  • Dictionary-based attack: use common passwords, such as password123 or 123456. There are lists of worst passwords compiled every year, and you would be surprised that tens of thousands, if not more, use those.
  • Phishing attack: Phishing means trying to get the user to reveal information through deception. It is often in the form of a fake email or web page pretending to be from a legitimate service and asking you to login to an account. The user is willingly giving the password information to the wrong person
    • Avoid this by never following an email link that asks for your login/password. Go directly to the site, or Google it and follow the Google link.
  • Social engineering: this is a less-common form of hacking that consists in using Spycraft like making friends with someone to make them reveal something, or access their computer/network. It is typically used for industrial espionage.

Don’t forget inside jobs/weaknesses

Poor security practices within companies can account for a major part of mass-hacking in which millions of emails and passwords are stolen. Never doubt that even large companies can do extremely dumb things, such as storing email and passwords WITHOUT encryption, or using the same encryption key for ALL their login credentials.

When this happens, there’s little you can do to prevent the hacking of this specific login and password. You should plan that any of your passwords can be cracked due to an internal security lapse. You just need to browse around our Hacking related news to see the extent of the problem.

This is why it is CRITICAL to use a different login/password combination for every service, so that you avoid a cascade hacking of all of your accounts, across multiple services.

Email security is a weak spot

Hacking into your email is also a preferred way to get to more of your information, so make sure that your email is secured with a strong password AND a 2-factor authentication. I recommend opting for an email provider that offers this level of protection.

If an attacker can have access to your email, it is likely that this person can then “reset” your passwords at various online services like Facebook etc… All it takes is a “reset link” sent over email.

Most of the personal information used as “security” gatekeepers (mother maiden name etc…) can be found by someone who is motivated, or via a simple social-engineering phone call, masquerading as someone legitimate.

Do it

Using strong passwords and password managers will truly make your life better, so don’t wait and start using the information you just learned about. It is much easier to spend a little time now, than dealing with the after-effects of a nasty hack.

Filed in General. Read more about , , , and .