Users are advised to create a complex and strong password when registering on any site. And these recommendations should be taken seriously. Unfortunately, not every user does, and they end up creating an easy-to-remember, weak and unstable password, which was invented 5-10 years ago.
Why shouldn’t we use passphrases that were recently considered strong? Which password can be considered strong, and how is its strength determined? How do I create a password that is resistant to hacking? Where do I store all my complex passwords if I can’t remember them? Let’s answer these questions.
Why do strong passwords no longer be strong?
A regular phone number or some 8-digit number with a couple of letters at the beginning or end – such a password a few years ago was considered reliable and resistant to hacking. But with the development of technology and, consequently, the power of computer technology, passphrases, which were considered very recently strong, cease to be so. The reason is simple: password cracking is the essential software, and software and hardware are becoming increasingly powerful.
The most well-known and frequently used cracking passwords – brute-forcing – involves searching through all possible characters – until a suitable combination of them is selected. Approximately the same thing happens when using the “dictionary attack” method, but instead of going through the characters, an extensive list of pre-prepared passwords or their hashes (the so-called “Rainbow Tables“) is used. In any case, it can take a very, very long time to achieve a result. But this time decreases in proportion to the increase in the computing power of the equipment with which the hacking is carried out. For example, if earlier it took (say) a couple of years to crack a password like “16875321qwe”, today it will take only a couple of days, or even several hours.
That is why passwords that were used to register on sites or encrypt some necessary data several years ago are recommended to be changed from time to time, making them more complex and resistant to hacking methods of brute force.
How is password complexity determined?
The complexity of a passphrase is determined by information entropy, which is measured in bits. The more entropy bit a password contains, the harder it is to crack it. For example, a newly created password has a depth of 20 units. To crack it by searching for characters, you will need to sort through 220 or 1048576 options. However, with a reasonably high probability, hacking can be carried out twice as fast – it all depends on the position from which the search began.
There is a special algorithm for estimating the entropy and, as a consequence, the complexity of the password (in this case, the entropy evaluation algorithm is used for passwords consisting exclusively of numbers and lowercase letters of the English alphabet):
- The first character of the passphrase has an entropy of 4 bits.
- The next 7 characters add another 14 bits of entropy (2 bits per character), i.e. an 8-digit password has an 18-bit entropy (4 bits of the first character plus 14 bits of the next 7 characters).
- The next 12 characters (from the 9th to the 20th) increase the total bit rate of entropy by another 18 bits (1.5 bits for each character). Based on this, a 20-digit password has a total amount of entropies of all characters, which will be 32 bits.
- Further characters (21st and further) increase entropy by 1 bit. So, a 25-digit password will have a 37-bit entropy, and to guess it by brute force, you will have to make 137 billion 438 million 953 thousand 472 attempts.
You can increase the complexity of the password (for this particular case) by using non-alphabetic characters (special characters that can be printed on a regular keyboard) and uppercase letters (uppercase letters). In this case, the entropy will additionally grow by 6 bits.
Thus, the complexity of a password is determined by the number and type of characters it consists of.
Why do I need a complex password if the server is protected against hacking?
Almost all modern web systems are equipped with a protection system that automatically blocks accounts in case of several (usually 3-5) unsuccessful authorization attempts in a row. This means that hacking methods such as brute force and dictionary/rainbow table attacks are ineffective. The attacked server will block the account, and the system will ignore all subsequent authorization attempts.
This suggests that cracking even relatively weak (low-entropy) passwords will be complex. Unless, of course, the attacker picks up a passphrase for the small number of attempts allowed by a particular server.
However, this is not a reason to neglect the recommendations for creating complex passwords with high entropy. Cybercriminals, for example, can get hold of any data stored on the server in encrypted form. To decrypt them, you will need a digital key created based on a password specified by the user when registering in a particular web system. And in this case, the number of attempts to guess the password will no longer be limited by anything and no one – the attacker will have to wait until his brute force program finishes its work on breaking the stolen encrypted information.
Therefore, you should never rely on the protection system against brute force and dictionary attacks present on a particular site. It is always better to play it safe by creating a password that cannot be cracked in a short time, even when using powerful computer technology.
What should be a password that is resistant to hacking?
There are general guidelines for creating brute-force-resistant passwords. Of course, over time, they will be replenished with more and more new items – because, as we have already found out, the password that was considered very strong yesterday may lose this status tomorrow. But for the next few years, the following recommendations for creating complex passphrases will remain relevant:
- The number of characters in the password is 8 or more (preferably from 12). The longer the better.
- Include uppercase and lowercase letters (i.e., lowercase and uppercase) and numbers in your password.
- If possible (unless prohibited by the system in which the registration is performed), include in the password special characters (such as a percent sign, a dollar symbol, an ampersand, etc.) and / or letters from non-English alphabets (Russian letters are an excellent option).
These recommendations can be considered to be observed in the case of such passwords as, for example, “1/8/2000Qwerty“. It seems that everything in the password is present, and large /small letters, numbers, and special characters (in this case, slashes of “/”). And it consists of 14 characters. However, the reliability of such passphrases can be argued. The thing is that even password phrases that comply with all the rules of creation can be unstable to the second method of hacking – searching through the dictionary/rainbow tables.
Fortunately, the life of hackers can be incredibly complicated by creating a password that complies with the following recommendations:
- Do not use well-known (dictionary) words in passphrases – such are quickly hacked by the dictionary attack method. You should also avoid the use of names, animal nicknames, place names – in general, any words whose existence is very widely known.
- Even when combining dictionary words with any numbers will not make the password resistant to hacking. Replacing letters with characters similar to the spelling with replaceable letters will not help either. We are talking about passwords such as, for example, “[email protected]@t0r”. Cybercriminals definitely have dictionaries and/or rainbow tables containing similar spellings of common words (even if there are no dictionaries, they are easy to generate by replacing letters).
- However, it is possible to use dictionary words in order to remember the password, but they should be several written in a row, separated by numbers and/or special characters. Of course, do not forget about the letters in upper case. Replacing letters with similar characters is also possible (subject to other recommendations). Here, for example, is a strong password: “1TrEe#Car#Sun#[email protected]”
- Do not use any sequences of letters that can be easily guessed. This includes, for example, the alternation of letters in alphabetical order (“abcdefg” or in reverse order) or in the order of their location on the keyboard – “uytrewq”, “zxcvbnm”.
- If, nevertheless, the sequences need to be used to better remember the password, then they can, for example, be diluted with numbers and / and special characters: “#aS12dF13gH14jK15l#”.
- Do not use well-known sets of numbers, even if they are combined with special characters and / or letters: phone numbers, serial numbers of documents, car registration numbers, dates, etc. A password like “01/15/1985”, “54-05-123456” or “A123AB197” is easily selected using the appropriate dictionary generation algorithms.
- If you need to use sets of numbers, then just follow the recommendations described above. You can also, for example, combine sets with each other, separating them with some words: “A123AB197mashina01/15/1985”.
And one more thing. Try to use different passwords on different sites. Otherwise, if an attacker manages to hack into anyone site obtained during an attack, he will use it to go to other sites.
How do I create a complex and memorable password?
We have already looked at several ways to create memorable passwords using combinations of words, sequences of characters, and various dials. But if there are many other options for creating unique and, most importantly, strong passphrases.
Here’s just one example:
- Take the first symbols from a few words of a song or poem that you remember by heart. If the song/verse is in Russian language, just use their English spelling (for letters like “I” or “Yu” use the construction “Ya” / “Yu” or “Ia” “Iu”, as you prefer).
- Let it be, for example, the lines “At Lukomorye oak green: Golden chain on oak tom”.. The letters for our password in this case are as follows: uldzzcndt.
- Convert a few letters to uppercase: “uLdzZcnDt”. To remember which letters were translated into uppercase, come up with a scheme for yourself: for example, each even/odd letter or the first, central and last letters.
- Paste numbers into the generated password, preferably somewhere in the middle, for example: “uLdz1990ZcnDt” (in this case, we entered the year 1990).
- If the use of special characters is allowed, we insert them (at least one): “uLdz19*90ZcnDt” (separated the year with the symbol “*”).
- If special characters cannot be used, you can add more numbers to the password, for example, at the beginning and/or at the end: “12uLdz1990ZcnDt34”.
Thus, we have created a password that is resistant to hacking by any means, which is relatively easy to remember and then reproduce at any time.
How do I check the strength of my password?
On the Internet, you can also find many sites that provide the ability to check the strength of any entered passphrase. For example, this can be done on the Kaspersky Anti-Virus website. Go to this page (https://password.kaspersky.com/) and enter/paste the password phrase to be checked into the “Verify your password” textbox:
How do I know if my password has been compromised?
Sometimes even the most complex passwords can be weak. Cybercriminals, from time to time, hack into websites and web systems, as a result of which vast databases of logins and passwords of registered users there fall into their hands. Stolen data is usually put up for sale in the dark segment of the Internet (darknet). Anyone can purchase them.
You can go through this post: 7 Websites to Check Accounts for Password Leaks and Hacks
If you checked your password in the above way on the Kaspersky website, then you noticed such a message – “Your password is not found in the databases of leaked passwords.” These “leaked databases” are the same stolen logins and passwords (not all, of course, but only those that fell into the hands of conscientious people). If you see a message on this site – “This password appeared in the databases of leaked passwords” – it means that the passphrase you entered was previously compromised, i.e., not only you know about its existence.
Such lists of stolen logins and passwords are a godsend for attackers who use the dictionary attack method to hack. Therefore, before you register anywhere on the Internet, check the password – suddenly, it was compromised. It does not hurt to do the same with the passphrases already used. Here is a list of 7 Websites to Check Accounts for Password Leaks and Hacks.
Where is it safe to store passwords?
One of the cybersecurity rules – not to use the same password in different places – will require the user to store the complex passphrases he creates somewhere. To keep them all in your head is within the power of only a few. Users without phenomenal memory have to use other means, and storing passwords in a plain text file on a computer is probably the worst option.
It is not very reliable to store them in the browser, using the appropriate function. There are several reasons for this. First, to “pull out” logins and passphrases from the browser, you do not even need to launch the web browser itself because it stores this data in an ordinary unencrypted file (you can protect the file with encryption, but the browser does not offer to do it, and users do not even realize that this is even possible). Secondly, if someone gets access to the computer, he will be able to log in to all the sites whose logins and passwords are stored in the browser (and for this, you do not need to be a hacker or even know where the web browser stores such data).
Another way is to store passwords in an electronic document that supports encryption. Such documents include, for example, PDF, DOCX (MS Word), or XLSX (MS Excel).
And you can always use the file encryption function present in the arsenal of any archiving program. With their help, any file – even a simple text document – can be protected with your password.
Both of the latter methods are undoubtedly reliable (if you use a strong password for encryption), but they are pretty inconvenient.
And the last way is to use specialized programs to store passwords. There are many such applications today. These include programs for Windows (or other operating systems) and mobile applications and browser extensions.
Take, for example, the MultiPassword password manager. It has three independent versions: desktop (i.e., Windows), mobile (Android and iOS), and browser. This is the main tab of the MultiPassword program for Windows, where you can see the number of saved passwords with varying degrees of reliability:
Using the program is quite simple. To add a password to the database, click on the “New Entry” button:
Note that when you enter a saved password, MultiPassword automatically detects its complexity. And if you click on the button with the image of dice, a password generator will be displayed on the screen:
Those accustomed to using the standard browser function of automatically saving logins/passwords and filling out web forms on websites can install the MultiPassword extension (available for download from official browser stores).
You can import passwords from other similar programs or browsers into MultiPassword (you must first export passwords from these programs and web browsers).
You can also read: How to Transfer Passwords from LastPass to Bitwarden Password Manager.