Homepage > Encyclopedia > Article

How to create a strong password?


How to create a strong password

Dealing with passwords is a fundamental part of interacting on the internet with the best Android tablets, our favorite budget smartphones, and all the other devices we use. Passwords protect everything from the mundane (our Spotify, YouTube, and Twitch accounts) to the vitally important (our PayPal, Amazon, and Venmo accounts) and everything in between. They are the keys to the digital locks on our online property and, as such, play an important role in protecting our lives from bad actors intent on stealing identities and wreaking havoc. And to take your digital security to the next level, check out the best 2FA apps on Android.

It's vital that you are the only one who knows or can guess your passwords. But what makes for a good password? To understand that, you'll need to know a thing or two about how internet ne'er-do-wells crack passwords.

1. Brute-force attacks

In digital security, repeatedly guessing a password is called a brute-force attack. The idea is simple. Try every combination of letters and numbers until the right one is found. This kind of task would be tedious, repetitive, prone to error, and time-intensive for a human. For a computer, most of these problems become trivial.

According to NordPass, computers can guess between 10,000 (on an old-school Pentium 100MHz) and one billion passwords per second (on a supercomputer). Guessing a four-digit PIN (10,000 possible PINs) would take a second in the worst case of the slowest computer not finding the correct PIN until the last check.

When it comes to alphanumeric passwords consisting of only lowercase letters and numbers (36 possible characters), a six-character password (36⁶ possible character combinations) could be solved in 217,679 seconds (2.5 days) in the case of the Pentium, or about 2 seconds in the case of the supercomputer. These numbers are the maximum time it would take to brute force the passwords. This is unacceptable from a security standpoint.

However, a complex password like @ndroidPo1ice is harder to guess. It has eight characters, uppercase, lowercase, numbers, and symbols, so there are 94 possible characters available, giving 94⁸ (over six quadrillion) password combinations. This level of complexity is sufficient for thwarting our low-powered computer, which would take over 600 billion seconds (over 19,000 years) to brute force all the combinations. It offers reasonable defense against our high-powered computer, which would take over six million seconds (70 days) to guess.

2. Dictionary attacks

These calculations assume the longest possible time, with the computer only guessing correctly on the last possible permutation of characters. The average time it takes to guess a password would be about half of what's stated above. Worse, people are awful at picking passwords, but it's (mostly) not our fault. The problem is that the best passwords to thwart brute-force attacks are a random distribution of letters, numbers, and symbols. The easiest passwords to remember are made of numbers and words that have some personal meaning. This opens us up to a new vulnerability: dictionary attacks.

This type of attack is successful because many people use common words in their passwords. Instead of testing every combination of every possible character, an attacker can test words known to be used in many passwords. Plus, given the plethora of data breaches in the past decade, attackers can find lists of hundreds of millions of passwords to test, a far cry from the six quadrillion possibilities in our previous example.

3. Password cracking

Another avenue for attack for hackers relies on the way online services store passwords. Companies don't save a list of plain text passwords. Doing so would make user data vulnerable. Instead, they use a special type of encryption to store passwords. The idea is to make a function to easily convert a password into a new value such that it's difficult to determine the original value based on the converted value.

Since companies began using these algorithms, hackers have been working hard to find ways to crack them. Some, like SHA-1, have been so thoroughly compromised that a simple Google search of the converted value reveals the original password. Others can be cracked in a matter of hours with brute force by renting time on AWS.

With the proliferation of these types of attacks, a bad actor only needs the list of encrypted passwords and a bit of time to gain access to your accounts.

4. The solution

How can we be sure that no one can guess our passwords? A good rule of thumb is to look at modern password requirements from financial institutions. Your bank, for instance, may require passwords that are at least eight characters and have one uppercase letter, one lowercase letter, one number, and one symbol. So the previous example of @ndroidPo1ice checks all the boxes.

The solution to these problems is to have longer, more complex passwords. But this introduces a new problem. Most of us have dozens of accounts. We can't remember 50 passwords for 50 services. The best solution is a sort of compromise. When it comes to having different passwords for different websites, focus on the important ones that control access to your money (Amazon, PayPal, Venmo, and bank accounts) and use a simpler password for your less vital accounts (Spotify, TikTok, Discord). This way, if your password is revealed in a data breach, it minimizes the risk to your most vital accounts.

As for creating a password that's resistant to brute-force attacks, dictionary attacks, and cracking, focus on length over complexity. Potential passwords could be based on a meme (@11yourBase@reB310ng2us), a video game (theC@k3is@L13), or a book (itWasThe835tOf*itWasTheW0r5tOf*). But avoid personal information like birthdays, phone numbers, or nicknames since this kind of information can be found by scouring social media.

There's no need to remember all your passwords

Now that you have an awesome password that's resistant to common hacking techniques, you need a way to remember it along with the dozens of other passwords protecting your online accounts. One way is to write it down. Some people have a notebook just for passwords, and it's not a bad way to save your passwords because a notebook can't be hacked. The two drawbacks of this method are that you need the book with you for it to be useful and, if you lose it, you've lost all your passwords and potentially given them to someone else if they can figure out which accounts are yours.

If you're looking for a digital solution to password management, you have two basic flavors to choose from: cloud and local. A cloud service saves your passwords on its servers, and passwords can be accessed anywhere from any device. With a service like this, you only need to remember one password, and the online password manager takes care of the rest for you. The drawback is you have to rely on a third party to keep your passwords safe. If they get hacked, you get hacked.

You could also go with a local solution. If you don't trust a third party with your password security, download software that manages your credentials from your desktop or phone. This is a lot like the digital version of the pen-and-paper solution. Only your passwords are stored in an encrypted file on your computer instead of in a notebook you keep in your desk. The drawback with local password managers is that they're only good for the device you're using.

One benefit to using password managers is that they often generate a secure password for you. Figuring out which one is for you depends on your needs and personal preferences, but some are better than others.

If you want to learn more, welcome to check out our website!

Latest More >
Blockchain News
Selected Articles