P@s$word is not a good password, but what is? Complexity is not the key, length is. We explain the best strategy for a usable and strong password.
Websites of all kinds have been training us for years to choose bad passwords. Special characters, capital letters and numbers seem sacrilegious, while a length of just eight characters is usually sufficient. Such passwords are terrible for humans to remember, but a breeze for computers to crack. Special characters won’t save you from hackers or malware, but a healthy password length will. As an added bonus, you can choose something you can remember.
Easy brute force
Before we explain exactly what a good password is, you need to understand what makes a bad password so bad. Today, criminals have exponentially more computing power at their disposal than, say, ten years ago. They can use it to guess your password. This doesn’t happen in a subtle way: attackers just try combinations, sometimes based on dictionaries, and randomly. Sun raw strengthattack can be very successful with modest password.
By 2022, it will take less than a second to crack a six-character password.
take R8@bl# as an example. This password combines upper and lower case letters with numbers and symbols. Security experts from Hive Systems researched how long it would take in 2022 to crack such a password. The answer: less than a second.
Special characters help a little
The same applies to eftanvic: An eight-character password with only lowercase letters. Variation in the symbols matters in this case. You choose Eft@nv1, it takes about 40 minutes for the password to be cracked. It’s less dramatic, but still not as long.
The longer your password is, the harder it is to crack. If you add one character to the above password, you e.g Eft@nv1A then the crack time is already two days. With a tenth sign, it becomes five months. Five months may be enough to protect an unimportant private account, but not so long when the password gives access to really sensitive data.
Twelve characters or more
Microsoft recommends that you do not create a password shorter than twelve characters, and preferably choose fourteen yourself. A password of fourteen characters with upper and lower case letters but no numbers or symbols can be cracked for about 64,000 years. If you add numbers or symbols, a successful attack can easily take sixteen million years. Such passwords are currently virtually impossible to crack and also seem future-proof.
Passwords are a thing of the past: it’s better to use a passphrase.
Passwords are therefore a thing of the past: it is better to talk about a passphrase. An ideal passphrase can be much less complex to remember than just six random characters. It is a good idea to still combine some numbers and symbols in such a sentence and definitely not limit yourself to words from the dictionary. Go for some kind of nonsense that doesn’t mean anything to a computer, but maybe to yourself.
Cordyceps eat chunks of Purina
We give an example. Maybe you have a cat named Snorreke who likes to eat Purina kibble in the kitchen. You are not against dialect yourself. With that in mind, you can choose MustacheboeftPuri@keuke1. The password has 20 characters. Hive calculated the cracking time for 18-character passwords. If you combine all the characters for such a password, the cracking time is 438 trillion years. In front of MustacheboeftPuri@keuke1 so it’s even longer. A dictionary-based attack won’t help a hacker here either.
Telenet is looking for the smartest cyber expert in Flanders
Length is therefore the most important parameter for a good password. mustache purias a shorter variant with no special characters, can still withstand a thousand years of brute force attacks, thanks to its 13-character length.
Rules of thumb
So choose a good password:
- A passphrase containing at least twelve characters, but preferably more than fourteen;
- A combination of upper and lower case letters, preferably supplemented with numbers and special characters;
- No names of people, streets, companies or other things that can be looked up on the web or in the dictionary;
- A passphrase that differs significantly from other passphrases in a meaningful way;
- A phrase that you can remember yourself.
We share a few more examples for inspiration:
- Hopefully Un#bar
All of these passwords are long and contain complex characters, so a brute force attack must account for the full range of available characters. You can imagine that a person with a fat cat, a fan of Zilvermeer recreation area, a hater of stupid hackers and a hopeful person can still remember these passwords. Each one of them is easier for a person than the insecure one R8@bl#.
Don’t forget the tips above when creating a new secure password, but don’t forget that passwords are never foolproof. Do not share them under any circumstances, even with family and friends, and use MFA whenever possible. And do you still encounter the occasional website that gives an error because your password is too long? So avoid it or send an angry email if you have no other choice.
This editorial contribution is part of our safety file on the occasion of safety month October 2022. It is made possible, among other things, thanks to our partners, including Telenet. Telenet organizes (in collaboration with ITdaily) the ‘smart cyber expert in Flanders’ competition, in which anyone can participate. Here you will find more information about this.