How to create a strong password?

There are a few things you can do to create a strong password that will protect your account from being compromised.

  1. Use lower case, upper case, numbers, and symbols (check list of valid symbols, this could vary depending on the website / system)
  2. Use at least 12 chars to allow a wide key space
  3. Don’t use common words or easy-to-guess passwords (e.g. P@ssw0rd, this might be in some dictionary already)

Now, if memorizing complex symbols that make no sense is not really your thing, you can follow this simple tips provided by NIST:

NIST Password Tips
NIST Password Tips

I have been reflecting on all this digital security situation and I have identified the following scenarios which have their advantages and disadvantages.

One password for all accounts

  • Advantages:

    Easy to remember. Since you should only remember one password you can actually memorize a strong one.

  • Disadvantages:

    Once compromised every other known account can be compromised as well.

Different passwords for each account

  • Advantages:

    If one account gets compromised, the rest of them are still safe and can be used to recover the lost account.

  • Disadvantages:

    Difficult to remember the password for each one of them. If you don’t log in frequently you can actually forget it and end up setting a weak password for an account.

Password manager

  • Advantages:

    All passwords are protected by one master password which can be strong since it is the only password you would memorize.

  • Disadvantages:

    Compromising the master password gives access to all other accounts. Besides, if the software that you are using to store the password has any bug that can allow an attacker to gain access to it, you can say goodbye to all your accounts.

Password generator

  • Advantages: 

    Passwords are not stored, passwords are generated dynamically, the generated password is directly related to the input, meaning that you will get the same password for a specific input all the time. If someone makes a copy of the program they can still not generate your passwords.

  • Disadvantages: 

    Operating system restricted, web app requires internet access. If someone know your passphrase and they copy the program, they can generate your passwords.

How long does it take to crack my password?

This will depend on your key space. An easy way to understand this is to check these famous combination locks for luggage. They usually have 3 dials (password length) with 10 possible values (0-9) meaning that the number of possible combinations (key space) is the result of 10^3 = 1000. It will not take much time for a computer to crack a password with this characteristics.

Suppose that your password is 16 chars in length and the alphabet that you are using has 62 chars (A-Z , a-z , 0-9). Your key space to the result of 62^16 = 47672401706823533450263330816.

If a computer tests 1,000,000 passwords per second it will take 47672401706823533450263.330816 seconds to reach the total combinations. Which is 1511681941489838.0723700954723491 years, or for practical purposes, a lot of time.

This may seem to be safe enough and, in my opinion, it is. But more sophisticated attacks that can reduce the cracking time exist nowadays like intelligent brute force, and dictionary attacks among others.

How to test my password?

There is plenty of online tools to verify your password security level. You can just Google “test password strength”, you will have plenty of choice. Any of them will give you a better idea of how strong your password is, you can also use several to compare their results and see if there is any difference.

Sources:

  • http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
  • https://www.trustedsec.com/february-2011/building-the-ultimate-bad-arse-cuda-cracking-server/
  • http://ss64.com/docs/security.html
  • http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
  • http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
  • http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
  • http://csrc.nist.gov/archive/pki-twg/y2003/presentations/twg-03-05.pdf
  • http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password
  • http://unixgeeks.org/security/newbie/unix/passwd.html
  • https://en.wikipedia.org/wiki/Key_space_(cryptography)
  • https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd
  • https://password.kaspersky.com/
  • https://howsecureismypassword.net/
  • https://ssd.eff.org/en/module/creating-strong-passwords

Leave a Comment

Your email address will not be published. Required fields are marked *