Choosing a strong password that you can reliably remember can be a pain. There are plenty of password-creation fields that have their own requirements – must be seven letters, must contain a number and so on. Following those instructions doesn’t guarantee a secure password – not at all. There are however some rules to follow, and tips on how to make sure you have the best password possible… while still being able to remember it.
The first rule of testing the strength of a password is to be extremely careful when using online tools to test your passwords. Websites or downloadable software could take the password that you’re trying to test and add it to a wordlist. A wordlist is a list of known and generally common passwords. Wordlists can run to millions of entries and are used by hackers to make educated guesses at passwords rather than the slower method of trying all possible combinations starting from “aaaaaa”.
In other words, a wordlist keeps passwords like “Susie1202” and “Password12”. Hackers will run the password list on sites hoping to get a match. It’s crucial to have a password that isn’t on any such list. These wordlists are surprisingly effective, as a lot of people use generic or common passwords. Thankfully, you aren’t on your own – there are some tools to help you: Password security checkers.
These checkers are generally run by reliable cybersecurity companies. Always be careful when using this type of tool though – there is always some risk involved. You shouldn’t just trust any website or program offering to measure the strength of your passwords without being absolutely sure it’s safe – in fact, even some cybersecurity companies that offer these tools themselves recommend not using your real passwords, and only testing potential, or similar passwords with their tools – just in case.
So how are you supposed to know how strong your password is without using a website or app to check it?
The answer is surprisingly simple: By learning more about what makes a password safe, and designing one accordingly.
Types of attack
When trying to design a safe password, it helps to understand how hackers try to attack. There are two main types of attack; brute force, and dictionary.
Brute force attacks try all possible combinations of characters. Given enough time this method would eventually crack every possible password. The main downside with this attack type is it takes time, and the more combinations to be attempted, the more time it takes. The time necessary can be astronomical – even if a program can run tens of thousands of possibilities per minute, there are millions of combinations possible, making these attacks ineffective. Long passwords are very unlikely to be cracked using this method, as running all possibilities and thus finding them could take decades.
Dictionary attacks use the aforementioned wordlists to make educated guesses at what passwords might be. This technique dramatically reduces the number of guesses to be made when compared to brute force attacks, speeding up the process by a huge margin. Wordlists are generally based off of known leaked passwords. Software designed to perform this sort of attack can also include “word mangling” rules that can alter the words to try common variations as well. For instance, a word-mangling rule may try replacing an “o” with a “0” or adding a “!” to the end of a word. These rules are generally based on common substitutions or additions that people make – needless to say, that’s not very secure. The main downside to this type of attack is that the attacker needs to have the password already in their wordlist, and the attack is only as good as the wordlist.
How to make a strong password
There are three important factors in password strength: length, uniqueness, and complexity.
Tip: Please do NOT use any of the passwords or pieces of the passwords mentioned in this article as they are not secure.
How length affects the strength of a password is pretty simple to understand. The more characters a password has, the more combinations of letters need to be tried before a hacker is statistically likely to guess correctly. For example, there are a lot more six-letter words than there are four-letter ones. In fact, for every character added the number of total possible combinations increases exponentially.
Length is the best protection against Brute force attacks, but remembering, say, a 64-character password isn’t exactly easy. It’s also not necessary. The ideal situation is to make a password so long that it is just infeasible to spend the time and energy to possibly ever crack it. The ideal is 10 characters or more – in almost all cases, that will be enough.
Some people might come up with a plan to use an insanely long password, so long that it’d be impossible to ever brute force it. For example, a poem, song lyrics or the complete works of Shakespeare. Assuming the website allows it, this would kind of work, but at some point, a hacker may add these known examples to their wordlist “just in case” and then the idea falls apart. This is where uniqueness comes in to play.
Uniqueness is hard to judge. Of the more than seven billion people on Earth, it can be hard to come up with something completely unique, but it’s still worth trying. Some of the most common passwords, still in use even now are: “admin”, “password”, “123qwe” and “qwerty”. These are terrible passwords, not only because they’re short, but because they’re well known, so they’ll be in every wordlist, probably as one of the first guesses. Some people try to make these passwords a bit more complicated by using “Password1!” but this is too predictable and is in most wordlists too.
To beat a wordlist-based attack you have to design a password that won’t be known or thought of. The best case is to use a completely random selection of characters, but this is likely too hard to remember.
“UdGlw3sLDAu8KLYu%[email protected]#*%cyu4n9%DTrXO” would be a SECURE password, but it won’t be practical.
A decent solution is to use a selection of words, that doesn’t mean anything together. One example, popularised by the webcomic XKCD, is “CorrectHorseBatteryStaple”. This concept is pretty strong, encouraging both length and randomness, and the result should be easier to remember than a random string of characters and symbols. You can pick any words you like – animals you like, flowers, a favourite actor’s name, even, so long as it’s several things you can remember. Even five things you have sitting on your desk right now would work!
As for complexity: It’s a must – it’s definitely one of the most important aspects of creating a password. Changing letters to numbers and adding symbols can increase the complexity of your passwords. A ten-character string of random letters, numbers, and symbols is a better password, and less likely to be guessed, than the letter “a” one hundred times in a row, which, in turn, is still a better password than “Password12!”.
Complexity is a good way to make passwords harder to guess but it also makes them harder to remember. It’s all about finding a healthy balance. In general, adding a small amount of complexity by including a number and a symbol somewhere, is enough of an improvement to really make a difference to your password strength. It isn’t really necessary to change as many characters as possible to numbers or symbols – that just makes it harder to remember.
To sum up the three requirements, some good rules to remember for passwords are:
- Passwords should have 10 characters as a reasonable minimum length, but more is better.
- Passwords shouldn’t be simple or common combinations of words; they should be unique.
- Passwords should contain a range of character types including numbers and symbols
Tip: If you’re curious and want a live visual demonstration as to how length and complexity affect overall password strength, using an online password strength tester isn’t a terrible idea. The following examples are trustworthy sites. Always be careful about where you enter your passwords and information – some sites may be trying to steal your passwords. The sites below are known to be reliable: