Now it is so widespread that we all do it without even thinking: we come up with a password that should consist of at least x characters, contain at least one number and one character, and not your first or last name. Whether you’re working or creating an Apple ID, these “strong” password requirements are everywhere.
Once, having created a new password on the site, I began to think about how different all the requirements were. On some sites, passwords must be at least three characters, and on some – at least 8. Someone needs characters, some do not. Some people care about your name and previous passwords, others don’t. So which password is really strong?
I did a little research and found out two things when you say that someone is “cracking” your password: first, it is the strength of your password, and second, the strength of encryption, which makes your password gibberish when stored.
I quickly realized that the whole concept of a strong password is very mathematical, and a lot of research has been done on this topic. The one that caught my attention and which I will mention in this post is from a 2011 Carnegie Mellon study.
Test your password first
Before we get into what a strong password is, let’s see how long it takes to crack a supposedly strong password. To test this, we’re going to use the tool on the PassFault site:
This is how it works. You enter your password and click Analyze. It has two options that are hidden by default, but you can click Show Options. Let’s explain what they mean.
Hardware hacking uses a $ 900 password attacker by default, which is quite possible for a legal hacker. They also have the option of choosing a $ 180,000 password cracker that the Chinese can use if it’s that expensive. The Password Protection drop-down list has several options for the type of encryption used to store the password. Microsoft Windows is the weakest system, and this is not surprising. Then you have WPA wireless hotspot, UNIX SHA1, UNIX Blowfish and 100 SHA1 stages.
I tried my strong password that I use on several sites and was shocked to see that it can be cracked in 1 day!
Wow, this is too bad. So I opted for the stronger encryption options (Unix Blowfish and 100 SHA1 rounds) and was happy to see the results take more than one day: 1 year and 7 months for Unix Blowfish and 2 months and 2 days with 100 SHA1 rounds. However, with the $ 180,000 password attack, it dropped to 11 and 3 days, respectively. I thought this was unacceptable! I want my password to be cracked for years even with a super expensive password cracker. But what is the best if I use a 9 character password with numbers and a symbol?
What makes a password strong?
It is here that Carnegie Mellon’s research has shed some light on the whole thing. Basically, they found that the longer the password, the more secure it is. This does not necessarily mean that a longer password must contain many characters or numbers, it just must be long. At 16 characters, all you need to avoid is to use very simple dictionary words.
Not sure if this is possible? On PassFault, use the following password, which is only 15 characters long and very easy to remember:
Then for the options choose an attacker with a $ 180,000 password and choose the weakest encryption (Microsoft Windows) and you get this:
1 month and 7 days! It’s much better than cracking my password in 1 day. So what’s wrong with my password? Well, apparently if your password is shorter, then you need to use more characters, random letters and numbers to strengthen it. If it is longer, for example, 15 to 16 characters, then you don’t need to worry about adding all kinds of numbers and symbols. With a longer password, you can even use more vocabulary words and still be very secure. Obviously a password like hellohellohello would still suck, even if it’s 15 characters long:
It sucks because it will be in the dictionary and repeats the same word three times. In my first password, where I profess my love for my wife, the sentence quickly starts to look like gibberish to the computer, and no hacking dictionary contains that 15-character phrase as a word. Dictionaries have vocabulary words, so as long as you avoid direct vocabulary words, you’ll be fine. My password could be even better if I used my wife’s name or nickname instead of the word “wife.” Got the idea?
Obviously, if you can add a few characters to a long password, the password will become even more secure. For example, let’s say I put an exclamation point in front of my wife’s password and add one number to the end. Then how long will it take to crack the same parameters:
Holy cow! Thus, time has passed from 1 month 7 days to a colossal 4 centuries and 1 decade !!! Yes century !! This is a strong password that is not difficult to remember. So check your password with this free online tool, and if your password gets cracked in a few days, it might be time to think about something new, especially for your sensitive information like bank passwords, etc.
Remember that many of these online sites are being hacked all the time, so your password is never safe. However, if you use a really strong password, even if the encryption is very weak, it will take a supercomputer forever to crack it! If you tried to enter a password on the site while reading this post, let us know in the comments how long it will take to crack it. Enjoy!