Strong Passwords…Explained

Have you ever had that time when someone told you to use a better password using random letters and numbers and X amount characters long? Of course you have! We all have. This is something you will NEVER remember, annoying and very true. But there is some merit to this. So I thought I’d explain how most (not all) hackers get a hold of your password and why a strong password works.

Let’s start with some basic terms: hashing and encryption. Hashing means you can take text and turn it into a completely new text string; however, you cannot return it back to its original string. Encryption means taking that exact same string and turning into a completely new text string but you can decrypt the string back to its original text. Why is this important? If you ever sign up for a new account and receive an email later with your password returned to you, this is a bad sign. This means the site you just signed up for is either storing your password in plain text or is only encrypting it. This is a huge red flag and you may want to think twice about signing up for this site.

This brings up the point that every website has a different way of storing your password. Some may implement a strong algorithm while some may be using a weaker, or older method. A well set up database with updated algorithms and techniques will make any password harder to crack. But you don’t know what methods are being used to hash your password and your best bet is that you take control of this yourself.

Don’t take it personally, most hackers aren’t targeting you specifically. Their target is weak passwords. So you’re probably asking, how can a hacker get a hold of my password if it’s hashed and can’t be reversed. These are not the only techniques that are used and most hackers will use a combination of techniques. The two I list are just common ones because it’s easy and all you need is modern day computer. It also does the job in explaining why certain password criteria are setup the way they are.

Brute Force

This basically means the hacker will try every combination to guess your password until it gets it right. If you do the math, that’s a lot of permutations and that will take quite some time. A ordinary computer these days can guess hundreds of millions of passwords in a second. Short passwords are weak to brute force allowing the computer to only have to test a smaller number of permutations. So that recommended password length that pops up every time you try to enter a password less than 8 characters long was always there to protect you. Of course 8 characters is not considered very strong anymore. Just using letters and numbers is also not considered strong. Computers are just too fast today that these can be cracked in a few hours.

Dictionary Lists

This method involves having a (large) list of words that can be used to test against your password. It’s faster because the computer doesn’t have to test every combination of letters in each position before finding a match. Instead it can search for words covering several positions at a time. It’s effective because most passwords include words to make them easier to remember. Hence the random portion of letters and numbers when setting your password. Throw in some punctuation and you’ll make it even more difficult.

“Arghhh…random passwords”

Trust me I get it, it’s not fun having to set a new password for every site you sign up for especially when it’s random. Very few people are going to remember any of these and I agree. So here are a few tips I use:

How risky is the website I’m signing up for?
If the website doesn’t store a lot or very personal information and does not ask for credit card numbers, I generally use a weaker password with the assumption that if this site gets hacked I’ve pretty much given them my password. You must remember that once a hacker gets a hold of your password, they will most likely test that password on other sites using the same email that was tied to the account. So if you go this route, make sure you don’t reuse this password for other sites or you understand the risk of reusing this password again.

Set an algorithm for yourself when creating a password.
If you’re changing the password for every site, you could make it easier by changing something in the password slightly each time to make it easier to remember. I cannot share my algorithm for obvious reasons but I do implement this for more medium type sites. I would not recommend this for high risk sites.

Which leads us to high risk sites such as Amazon, Google, Facebook, Apple, banking accounts, etc. There are hacking attempts on these sites every day and to assume that they will never get hacked would be a bad assumption to take. I personally use at least a 15 character password with random letters with upper and lowercase, numbers, and punctuation. Each of these sites have a randomly generated password that I will never remember off the top of my head. A password such as this could take millions of years to crack.

I know what you’re thinking, there is no way you’re going to remember that. It’s true, you won’t. I recommend using a password manager. DO NOT use the browser to remember your password. These have been proven to be unsafe and easily attainable. The one I use stores all my passwords and only requires a master password to get access to them.

Here’s a list of free password managers and even paid ones if you want more features.

What if my password manager gets hacked? The question you should be asking is not what if but when. In fact, the one I have been using has been hacked; however, if a company wants to store millions of users’ passwords I’m pretty sure they take security VERY seriously. Since being hacked, my accounts have stayed safe so I can vouch that they work.

Please note, these techniques may be outdated in the future. I can’t predict how much technology will change and how fast computers will be in the years to come. With that, now you know some basic information about passwords! Happy learning!

Leave a Reply

Your email address will not be published. Required fields are marked *