How To Create Secure Passwords

Tip A Day #7

If someone wanted to hack your Facebook, bank or other account how hard would it be to guess your password? If you use the simplistic passwords that many (maybe even most) do it wouldn’t be too hard.

With all of the passwords we have to create, use and keep track of it’s no wonder we’ve gotten a little lazy about it. Unfortunately we don’t realize how troublesome a hacked account can be until it actually happens to us and by then it’s too late.

As a web developer I get calls fairly often from people who’ve been hacked needing help cleaning the mess up and weak passwords are one of the most common causes.

Here are a few tips to help you keep your data, among other things, safe and keep a hacked account from happening to you.

Creating a More Secure Password

  1. Start by using a “pass phrase” which will function like your password but it’s a compound of two or more words making it more complex by nature.
  2. Mix up your new “pass phrase” with special characters and numbers when you can (some places don’t allow special characters).
  3. Mix the case of characters, to a computer a capital “A” and a lower case “a” aren’t the same thing so swap em’ out!
  4. Shoot for a pass-phrase that is 12 – 15 characters.

Things to Avoid

  1. Names or other information easily associated with you (places you’ve lived, streets you’ve lived on, names of family members, birth-dates, etc…).
  2. Standard Dictionary Words

Instead, try places or things that are meaningful to you but would be very hard for someone to figure out.

In the video I mentioned Walt Disney creating a password like *M1ck3yM0us3! which would be great in that it’s got two words (pass-phrase) uses mixed-case, special characters and numbers. Unfortunately it wouldn’t really be a great password for Walt to use since Mickey Mouse is pretty easy to guess if you’re trying to hack into his stuff.

How Attacks Occur

While attacks can be, and certainly have been, the result of some person trying to break in to a system, a more likely scenario is a hacker setting up a script to automatically keep trying passwords until it gets one right. This is known as a brute force attack and thanks to the speed of computers, weak passwords are VERY susceptible to this kind of attack but strong passwords are pretty resilient.

How long would it take to hack a password:

(excerpted from John P’s Post “How I’d hack Your Weak Passwords” on OneMansBlog.com).

Password Length All Characters Only Lowercase
3 characters4 characters

5 characters

6 characters

7 characters

8 characters

9 characters

10 characters

11 characters

12 characters

13 characters

14 characters

0.86 seconds1.36 minutes

2.15 hours

8.51 days

2.21 years

2.10 centuries

20 millennia

1,899 millennia

180,365 millennia

17,184,705 millennia

1,627,797,068 millennia

154,640,721,434 millennia

0.02 seconds.046 seconds

11.9 seconds

5.15 minutes

2.23 hours

2.42 days

2.07 months

4.48 years

1.16 centuries

3.03 millennia

78.7 millennia

2,046 millennia

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

If you want to go for something really strong and hard to get at try using something like strongpasswordgenerator.com to come up with truly obscure and difficult passwords. Use it as a starting point then modify the password to suit you.

Here’s to keeping your online self safe.

If you have ideas for tips I’d love to hear from you on twitter @vsellis or on google+ at gplus.to/scottellis.

If you have suggestions or other ideas on the password topic leave us your thoughts in the comments below.

Learn Something New Everyday!

 

Comments

  1. Pablo says

    *M1ck3yM0us3!
    Yes, it’s secure, but is also very hard to remember and not nearly as good as something like
    D0g…………………

    I won’t bore you with the details, for more info: grc.com/haystack.htm

  2. Chris Farr says

    First off your mostly right. Read this for the easiest and simplest explanation of password strength: https://xkcd.com/936/

    Then please never tell anyone to use a website to generate a password, do I even have to explain how bad of an idea that is. What are you new?