Many tech bloggers write about the need for strong passwords. It makes sense that we should have strong, not easily guessed passwords, but what defines strong? How easy or difficult is it for a cybercriminal to hack your password?

One common technique used by hackers is called a brute-force attack. A brute-force attack is a trial-and-error method of guessing your password. Hackers use specially-crafted programs to cycle through dictionary-based words, non-dictionary words and all possible combinations of alpha-numeric characters in an attempt to glean the “key” protecting your sensitive data. The limiting factor is compute power. The more processing power the hacker can leverage, the faster your data can be hacked.

So what constitutes a strong password?

If you go by Google’s definition, it’s 8 characters or more “using numbers, symbols and a mix of upper and lower case letters.” I tested the bottom limits of Google’s definition with an 8 character, non-dictionary phrase that had 1 symbol, 3 numbers, 1 upper case and 3 lower case letters. Passwordmeter.com, an online password rating calculator, gave it a score of 75%—a Strong rating. Adding a numerical character brought the rating up to Very Strong with a score of 89%. Adding a 10th character—a symbol—gave me a perfect score of 100%, also Very Strong.

But is this password truly strong enough to give interested hackers or indifferent bots a headache? It depends. According to CommonKey.com’s password strength estimator, it would take a throttled online attack rated at 100 tries per hour thirty years to crack. An unthrottled online attack rated at 10 tries per second would take three days. Adding a four letter, uncommon, lowercase word—bringing the number of characters up to a total of 12—increased the crack time to centuries in both scenarios.

Yet another calculator on betterbuy.com estimated a middle-of-the-road Intel Core i5 processor as taking about 14 years to crack my original password. Add the additional four letters, make that millennia.

So password strength, like anything else, is relative.

What’s important is maintaining a consistent baseline when constructing your password:
  • Use a combination of symbols, numbers with both upper and lower case letters. The more complex and random, the better.
  • Size matters. While strong password ratings can be had with 8 or 10 characters, we recommend using 12 characters or more.
  • Avoid the most commonly used passwords such as “123456”, “abc123”, “qwerty”, “baseball”, “football”, etc.  These are tested by hackers, first.
  • Avoid using common dictionary words which are also tested early by hackers.
  • Avoid substituting “1” for “l”, “0” for “o”, “3” for “e”, etc., as it’s a common pattern and…yes, can be added to the list of passwords tested early by hackers.

Or you can forget all of the above and follow the advice stemming from a series of Carnegie Mellon studies finding that passphrases can replace all of the above. According to Carnegie Mellon, something like staytheheckoutofmycomputeryouopunkhackers should give hackers fits.

As I mentioned in our malware post, managing passwords is not easy, but there are tools that can help.  Sophos, a cybersecurity company, estimated in 2014 the average person had 19 passwords (1 in 3 had strong ones). I have hundreds! Without some of the tools I use to manage them, I’d be lost. I think that’s a good topic for our next post.

Next up… Good Password Habits #2: Use a Password Safe