What Makes a Strong Password?

In order to pick a strong password, it helps to understand how passwords are guessed by hackers and what makes a bad password vulnerable. The first way an attacker could try and guess your password is through a brute force attack. This is where an attacker will go through every possible combination of letters, numbers and other characters of a given length to try and guess your password. This process takes a lot of computing power but with modern GPUs getting faster every year, currently it is believed that any password under 10 characters is currently vulnerable to a brute force attack. As computers get faster that number of characters required is likely to increase.

The second way an attacker could guess your password is through a dictionary attack. This is where an attacker will go through a list of millions of common passwords (often a list of passwords leaked from a real website) and try and match with your password. The attacker will perform thousands of different common variations on the list of passwords, like replacing a letter “a” with an “@”, to try and guess your password if it is similar but not identical to any password on the list. The effectiveness of a dictionary attack depends upon the dictionary and rules used but at least a third of passwords are likely to be easily found using freely online dictionaries.

The security of a password really depends upon how much “information” is contained in a password. To guess a 14-character long string of random characters, you would have to make 14 correct guesses in a row which means the password contains lots of information. By contrast, a common word as password can be reduced to one guess. An ideal password would be a long string of random characters, but this gives rise to another problem: memorability. If users cannot remember their passwords, then an extremely secure password may just bring disruption to your business.

Our ideal password then would be both extremely difficult for a computer to guess and easy for a user to remember.

One solution is to use multiple extremely uncommon words as your password and then modify it in some way. For example, “IncisorLondisBoudi-cceaFlea” combines four uncommon words, Incisor, Londis, Boudica, Flea. One of the words is a brand name and one is a name of a historical figure which is misspelled and has dash in the middle. This type of password is easy to remember since it is only 4 words but is not vulnerable to either brute force or dictionary attacks.

Once you have chosen a suitably strong password, it is important you only use it for one site. Long lists of usernames and passwords are often leaked from websites and hackers will try to use this information to gain access to accounts on other websites.

For businesses, ensuring users pick secure passwords can be a difficult proposition. Recently, many have begun using password managers to automatically pick strong, random passwords for users and store that information in an encrypted format. These password managers essentially rely on the strength of your one master password to access your password manager. This represents a single point at which hackers can access all your information but if your master password is good enough, the added security and ease of use from a password manager may be worth the risk.

A second important measure businesses should take is to ensure there is some form of two factor authentication enabled for important services. Two factor authentication means that as well as requiring a password to access their account, a user will have to provide some more information to verify their identity. This commonly takes the form of a code sent to the user’s email address or mobile phone, or a code generated by a security key. Two factor authentication involving email or phone messages represents a massive step up in security from just a password but still has some vulnerabilities. If hackers have access to your email address, they can still get the code and log in. Recently hackers have been able to intercept SMS messages to gain access to verification codes. The most secure method of two factor authentication is using a physical security key to verify your identity. These are not connected to the internet, meaning hackers would have to physically be in your location to gain access to your account.

In conclusion, the best practices for password security are as follows:

  • Don’t use the default password provided by your System Administrator as this is unlikely to be secure. Change the password as soon as you can.
  • Use a long password which is difficult for a computer to guess either through brute force or using a dictionary.
  • If you have any accounts with poor passwords, then change them as soon as possible. Do not reuse passwords on different websites.
  • Enable two factor authentication — preferably using a physical security key.