It is only in the last few years, as our lives have largely moved to the online world, that people have started to take an interest in securing their passwords. Experts have been trying to convince everyone that they should try harder for over a decade now, and a series of data leaks has convinced us that they are right.
Unfortunately, most people generally think that a string of 6-8 alphanumeric characters is a strong enough password, but the reality is that creating a strong password
is much more complicated than that. The various website requirements to create a secure password then give us a rather false sense that our accounts are fully secured.
Although many people think that when it comes to passwords, it’s mainly the complexity and unpredictability that matters. But much more so does the length of the password itself matter.
One of the most common ways of hacking passwords is a technique called a brute force attack. The best way to describe this type of attack is to think of a classic locking padlock that unlocks if we set 3 numbers correctly. As long as we know something about the lock’s owner, we can start trying likely combinations (usually this would be called a dictionary attack), or combinations that we conclude are the most common (111, 123, 666, etc.). If we can’t unlock the lock, we start trying every possible combination, such as 001, 002, 003, etc.
A brute force attack works exactly like this, only automated software and computing power takes care of the password testing. If we have to try all combinations of passwords, length matters…a lot. Each additional character in a password significantly multiplies the time it takes for this brute force attack to succeed.
If we take a keyboard of 94 characters (which includes letters, numbers and basic special characters), we can create 6 quadrillions passwords when using 8 digits. A quadrillion is a 1 followed by 15 zeros, that is, a million billions.
This may seem like an extremely high number, but computational power improves relentlessly. Even obsolete computers can try tens of thousands of combinations per second. More modern computers will be in the order of millions, and interconnected networks will do billions of combinations per second. It would take hours or maybe a couple of days to crack such 8-digit password.
This is where the length of the password comes in. We have calculated a 94-character keyboard. Each additional character in the password extends the time for a successful brute force attack 94 times. Hours to days are suddenly weeks to months, even if we add a single character.
So how long should our password be?
We need to account for the fact that computational power is constantly improving exponentially. A password that would have been uncrackable ten years ago is now quite weak.
The recommendation is to use a password of at least 12 characters, and the more the better. If the password is random and cannot be guessed by, for example, a dictionary attack or by trying the most popular passwords, then a brute force attack would take even supercomputers hundreds of years to crack that password. However, 12 characters is rather a minimum; it is better to choose a password of 16 characters in the future.
Don’t use the same password for everything
Now we come to the biggest problem of all. It doesn’t matter how complex or long your password is if you use it for many different services. Breaking the security of one service (not necessarily your password) that stores your password in text form means breaking all the other services where you use that password.
Using different passwords can be done beautifully with password managers that create passwords randomly, plus the passwords are different everywhere. You then keep one password that unlocks the passwords of others. So you only have to remember one single password, which should legitimately be really extra strong, and everything should be insured by two-factor authentication.
Securing online accounts is essential, but if you have a weak password somewhere, don’t panic. Websites don’t allow unlimited logins and are often well protected from brute force attacks. Of course, change weak passwords and/or start using a password manager.
Likewise, your passwords should be stored in encrypted form so that attackers can’t get them even in a data leak. Although brute force attacks won’t so typically crack your passwords, it’s still a good idea to choose strong passwords. However, you don’t need to immediately address the fact that your password has only 11 characters instead of the recommended 12.