The Trouble with Strong Passwords
In making a new account, have you ever experienced having a hard time meeting a site’s password requirement? ‘Password should be at least 8 characters long;’ ‘Password should have at least one capital and one small letter;’ ‘ Password should have a number;’ ‘Password should have a special character;’ and this list goes on.
And when you make that successful combination, you end up struggling to memorize and recall when you want to access your account. This is a serious issue when the password forgotten was for a bank because you may end up spending around an hour calling customer service or talking to an officer at their branch.
First, why are we asked to all of these requirements? The Internet may provide convenience but it also bears risks of cybercrimes such as hacking. Thus having a weak password is an easy prey for cyber attacks. Websites put these password rules into place to avoid two of the most common attacks: brute force and dictionary attacks.
Brute Force Attacks
This is the most common form of password cracking. Imagine you have a physical number combination padlock and someone wants to unlock it. The thief simply goes through all the possible combinations until it gets the right one. Let’s say the lock only uses three digits from zero to nine, and then they have a one in a thousand chance (000 to 999) of getting the correct code.
This scenario in cyberspace is referred to as a brute force attack. An attacker tries every possible combination of characters to figure out your password. This looks more challenging since passwords could also have letters and are longer than the physical combination locks.
However, attackers can use computer programs to automate the process. They write the code, run it, and their computers will do the processing by itself. With the speed of computers right now, attackers can try 2 billion keys per second.
The amount of time they need to crack the code depends on the computer’s speed and the possible number of combinations available. Here is the formula for calculating it:
Two inputs are needed: the number of possible characters and the length of your password. To get the number of characters, consider the types of characters used in the password:
- Numbers (10 different ones: 0–9)
- Letters (52 different ones: A-Z and a-z)
- Special characters (32 different ones).
Which lets you know how many possible combinations are there in your password. For example, if you only use numbers, then each character in your password has 10 possible combinations. If you have a password with a combination of numbers and letters, it will be 62 possible characters. Likewise, using all three gives you 94.
Next, consider the length of characters you are using. This will be the exponent of the equation. Getting these two values, the total number of combinations can be determined.
For example, a website asks you to make a password that is at least 8 characters long and contains at least one small letter, one capital letter, one number, and one special character. Plugging in the numbers to our equation:
Dividing this number by the computing capability, 2 billion, we get the time it takes for the attacker to get your password. This means that it takes around 3 million seconds, or 1.16 months for an attacker to figure out your password. Sounds safe if your attacker won’t wait that long, but for more powerful computers, this time can be shorter.
Thus, adding an additional character can actually make a difference. A nine-character password with the same rules can take around 9 years to decode. Longer passwords mean the harder it is for an attacker to figure out your password.
Users typically look for long and familiar words so that they could easily recall them. But, longer passwords containing only a single word can be cracked using a dictionary attack.
This is where the attacker will try to enter possible passwords coming from a dictionary database. Attackers are aware of these practices; hence a long and complicated word like ‘Absquatulate’ as your password is vulnerable to a dictionary attack. In addition, this will be faster than the brute force since dictionaries are smaller compared to all possible character combinations.
A Strong Password You Can Memorize
So how can you create a strong password that you could actually memorize? Here are some tips you can use:
1. Use a phrase you often use. Dictionary attacks only work when your password consists of a single word. Having multiple words would let the attacker use the brute force instead. Since it’s a phrase, it will definitely be a long password making it difficult to decode.
2. Use two or more unrelated words for your password but are familiar to you. Similar to Tip 1, this prevents a dictionary attack and is difficult to physically pass around compared to a phrase (i.e. telling someone that the WiFi password is ‘have no clue’ is easier over a password like ‘bookshelf ribs hill,’ which uses three unrelated words).
3. Use a combination of proper nouns such as brand names you are fond of to make them easy to recall. Personally, my first strong password was brands I can see on my computer desk. It makes it easy to recall because I would just browse around my desk on what I put as my password.
4. If you need to add numbers in your password, add in your phone number, house number, zip code, or car’s license plate number. To make it less obvious, you can use numbers from your friends or family. There could be instances where attackers have your basic information, like your contact number, which they might try as a possible password. This is great in combination with tips 1, 2, and 3.
5. For special characters, you can add punctuation marks on Tip 1. Have a phrase that you say when you’re angry? Add an exclamation point at the end to meet the special character requirement.
6. As an alternative, you can also use the numbers on Tip 4 or a different number and use it as a reference for your special character. In a computer keyboard, special characters are entered when you press shift + a number. So if you have ‘278’ as your number, you can press shift to get ‘@&*’ to meet the special character requirement.
Attackers are continuing to improve their technology and oftentimes, we are not safe with just following the minimum password requirements of an account. Lets not get intimidated with having longer passwords. Using these tips prove that longer passwords are not difficult to memorize or recall. Let’s stay safe, digitally!