Article by Tim Henneway, support manager for mSeven Software
Many web services or computer systems today require strong passwords. So why are strong passwords so important? Is it really worth all the trouble?
You might also wonder what makes a password strong? Is it just the length of the password and why all the emphasis on mixed case and special characters. This article will discuss the why, what and how of strong passwords.
Cryptography is King
Cryptography is the hiding of information via the encryption and decryption of data. To keep you data safe whether on a web site or on your device, it needs to be stored in an encrypted form with a strong algorithm like Blowfish or AES. Encryption has become so strong that today’s hackers must use computers to attack security systems.
Brute Force Attack
Even though your data is strongly encrypted, it may still be vulnerable to a brute force attack if the hacker has access to your database. A brute force attack is where a hacker uses software to try a series of common passwords or all possible passwords in an attempt to guess your password and gain access to your data.
The best protection against this type of attack is a strong password because, as you will see, it will take too long for the hacker to figure out your password. Using strong encryption and a strong password will provide a very high level of security for your data.
How Long is Strong?
A strong password is not just a long string, but is also determined by the number of different characters that are used in forming each character of the password. For example, it takes less than a second for a fast computer to run all the permutations of 4 digit PIN (i.e., 2578) containing only digits.
By simply making the 4-digit password out of any lowercase, uppercase letters, numbers and symbols (i.e., Bc1@), it now takes 25 seconds to generate all permutations -- a major improvement!
Time to generate all permutations of 4 character password
Character Set Digits Only (0…9) All ASCII Characters
1 second 25 seconds
Now let’s see what impact password length has on password strength. In 2010, a top password recovery service in the US reported that their state-of-the-art computing systems can try about 20 million passwords a second.
This means that only hackers with state-of-the-art resources should be able to obtain this same level, while the average hacker is going to probably take twice as long as these numbers.
Time to Crack*
Password Length 6 characters 7 characters 8 characters 9 characters
11 hours 6 weeks 5 months 10 years
*assumes each character can be any ASCII character.
As you can see, with a password as small as nine characters you can make it very hard for a hacker to crack your database.
Many will hear that a 9-character password can be strong and then select any easy-to-remember 9-character word and use that as a password. This can be a big mistake! Hackers know people will do this, and they will create and share dictionaries of common passwords and will even mine your personal data for keywords they can use to reduce the 10 year crack time to mere hours.
For example, let’s say you use you the word “mountain” as your password. Since the word is in the dictionary, a hacker using the dictionary as a set of passwords will crack your data rather quickly.
The trick is to create a password that is memorable and yet long enough while using a wide array of characters.
Pumping Up Your Password
Here are some ideas on how to create strong passwords. Pick an 8-character word that is easy to remember and make it strong. For our example we will use the word “mountain.” You will note that this word is all lowercase characters, which is not very secure. Let’s pump it up!
- Change at least one letter to uppercase (you don't want to pick the first letter, as that would be more common and easy to guess). The revised password is now “mounTain.”
- Add at least one number to it. Let’s replace the “o” with an “0”, making the revised password “m0unTain.”
- Finally, include a symbol. Let’s replace the “a” with the symbol “@” making our new password “m0unT@in.”
We now have a much stronger password using a combination of uppercase, lowercase, numbers and symbols. While an 8-character password is a good length, you will recall from the chart above that we need a 9-character minimum password.
Let’s make it more secure by adding another character. “m0unT@in” could become “m0unT@ins”, or even better “m0unT@in$”, where we have swapped the “s” for a “$”. Many people also put an “!” at the end of any password or a “+” at the beginning and end of all their passwords.
The general idea is to choose a word or phrase that you will be able to remember and a simple algorithm for converting it to a strong password. Even the best encryption systems in the world are not going to protect your data if you are using weak passwords and a hacker gains physical access to your mobile device.
To keep your data safe, it is important to understand what makes a strong password and create a password that is easy for you to remember and type into the login screen of your password manager.
Passwords that are about 9 characters in length and include lowercase letters, uppercase letters, numbers and symbols are considered the best defense to the hacker’s brute force attack.