Secure passwords: short and complex or long and memorable?

When you check your e-mail, when you place an order with Amazon.com, and even when you register for a group fitness session, you are constantly required to enter your password. Often, you are also requested to include at least several digits, capital letters and special characters in that password. But, honestly, who is going to remember “j!l_U-7_k.cr”? It is therefore not surprising that the most common password is simply “123456”. Obviously, such a password is much easier to hack. But do not worry; everyone can come up with memorable and secure passwords… And it is quite easy!

 

“Password” as a password

Secure passwords: short and complex or long and memorable?

We generally tend to use a password that is easy to remember. Often, we use birthdays, (family) names or simple key combinations, such as “qwertyuiop”. But such passwords are easy to guess by malicious people. Personal information is indeed easy to find on the Internet, as well as lists of the most commonly used password combinations.

Furthermore, Microsoft has reported that an average person has no less than 25 online accounts, for which he or she uses 6.5 different passwords. This means that the majority of people use a single key to open several digital doors. And the risk is even greater if the password is easy to guess. If someone manages to crack the password of your (harmless) library account, he or she will be able to access your mailbox in no time and then request and/or change passwords for other websites. And that, of course, is something you want to avoid at all costs.

 

How can you crack a password?

Secure passwords: short and complex or long and memorable?

As previously stated, many passwords are guessed by people who crack passwords, who are also known as crackers. After all, many people use simple key combinations or personal information that is easy to find on the Internet. Many passwords are also stolen using phishing methods (your passwords are simply requested via e-mail or over the telephone). Criminals often pretend to be someone else (e.g. a bank employee, but you can also read more about a recent situation with which Combell has recently been faced), hoping to steal your personal information. Unfortunatly, this little scam often still works.

Then again, in addition to simply guessing or requesting passwords, crackers also use other methods to perform attacks. Your password can e.g. also be guessed through a brute force attack. For this, they run an automatic script that continuously attempts to log in using different character variations. If, for instance, your password is “ben”, the script will first attempt to log in using “aaa”, then “aab”, “abb”, and so on. This way, it does not take long to use “bel”, “bem” and “ben”. And bingo! So much for your password! Two common types of such attacks are dictionary and common word attacks. As the terms suggest, such methods use a list of commonly used words, or even the entire dictionary, which the script uses to attempt to log in.

SEE ALSO: “Brute force attacks: how to protect yourself?

 

Ch0053 a 5ecur3 passw0rd

So, what secure passwords are so strong that crackers cannot guess them? Many experts are convinced that the most secure passwords include both small and capital letters, digits and special characters. In addition, they must be at least 8 characters long. Just to give you an idea: “D(9_*!3N” should be a great password. According to Gibson Research Corporation, this password would resist for 2.13 thousand centuries when trying to crack it (assuming 1,000 login attempts per second). That sounds pretty secure! But who will remember “D(9_*!3N”? Many Internet users will most probably have to write down this password somewhere, which is even more risky.

Tip: feel free to test your password using the handy calculator developed by Gibson Research Corporation!

So, how can you find a password that is both strong and memorable? Here is the solution: go for a long password instead of a complex one! Think of two or three random words and put them together. What about a password like “BearWithBeard”? Quite easy to remember, isn’t it? This password is 13 characters long, and thanks to the combination of small and capital letters, you have 52 possibilities. That means 285 quadrillions (!!!) of possible combinations. Attempting to crack this password manually is obviously out of the question, and even using a brute force attack, you would need 7 million centuries to succeed. Now, that is impressive!

CharactersNumber of possible combinationsBrute force time
162
Immediate
23,844Immediate
3238,328Immediate
414,776,336Immediate
5916,132,83242 seconds
656,800,235,58443 minutes
73,521,614,606,20844 hours
8218,340,15,584,896115 days
913,537,086,546,263,60020 years
10
839,299,365,868,340,00012 centuries

 

One password, but slightly different

This is how you can come up with a memorable and virtually unbreakable password, which is impossible to crack, even using a brute force attacks. Nevertheless, there are other ways other people can get hold of your password. How?

 

People can obtain your password because

  • you told them by accident,
  • they managed to see it, in real life or using malware
  • or they got hold of it some other way.

Should this happen, you most probably want to avoid that they can access all your accounts. Therefore, make sure that you slightly change your password for each website on which you use it.

Tip: You can e.g. do this by adding the name of a website or a few letters in that name to your password.

You can e.g. put the first letter of that website at the beginning of your password, and the last letter at the end of your password. For Facebook, you will get “fBearWithBeardk”. This way, you will have a single password for all your accounts (which is easy to remember), which is just different enough to avoid that intruders can access all your accounts should something go wrong. Moreover, such words cannot be cracked with a dictionary or common word attack. In any case, we have never found fBearWithBeardk in the dictionary.

Here is a last tip for you to generate the ultimate password: some websites want you to make sure that your password includes at least one special character or digit. Unfortunately, it is quite difficult to remember for which websites that was necessary, and for which not.

The best way to avoid having to try different password combinations is to add a special character or digit to your standard password.

So, going back to our password example, you could use “BearWith1Beard”. For Facebook, for instance, your password would become “fBearWith1Beardk”. Not so difficult, right? Even better: that extra figure opens the doors to 476 sextillions (36 zeros) of possibilities and a cracking time of 15,000 trillion centuries. Good luck, dear crackers!

 

Do you have your own website or web store? Make sure it is secure!

Creating secure passwords is not only useful to users. Website and web store owners should also take extra precautions. You can Secure passwords for webshopsdo this easily and efficiently:

  • Make sure you allow no more than 1 login attempt every 5 seconds.
  • Set a lock-out period after a certain number of failed login attempts, so that the user needs to wait before trying to log in again.

With at least one of these security measures, you can efficiently protect your website against brute force attacks (or any other type of attack). This way, you make sure that crackers cannot access your website using the front door.

It is safer for you, and therefore also for your visitors, who will certainly appreciate your efforts.

SEE ALSO: “Brute force attacks: how to protect yourself?

source: byte