Build a Strong Password That Takes a Trillion Centuries to Guess - in 4 Steps

Build a Password that takes a trillion centuries to guess

 

We are constantly reminded to create complex passwords and change them often.

But the better the password, the harder it is to remember. So what do many of us do? We settle for a simple word or sequence of numbers. Or, if we do create a clever password, we write it down near our computer. Maybe it's so "good," we use it on multiple accounts.

Why should we care?

Personal data is regularly stolen from companies, and not just small companies with lax security. Attackers have successful gotten data from companies like SONY, Adobe, Facebook and LinkedIn – companies that manage account information for thousands or millions of people. The username (often email address) and password pair is the lock you put on your personal information. Once an email address is found and public, it’s only a matter of guessing the password.

Your email address may already be known to hackers. You can explore the collections of known email addresses with sites like: HaveIBeenPwned.com

Sadly, you can’t control how a company treats the data you hand over. And, with each breach, the collection of stolen accounts creates a useful database against which to crack newly stolen names and passwords. However, if you use a powerful password, your data isn’t very useful to a hacker.

The good news: There are a couple of reliable approaches.

  1. Techniques to create passwords that are hard to crack yet easy to remember and,
  2. Password management tools with good reputations.

Finally, the security landscape changes all the time. Great advice one year, when discovered by hackers, could become bad advice the next. Yearly improvements in technology help hackers as well - for example, quantum computers might make light work of cracking that trillion-year password - or not.

At the very least, prioritize your efforts. For websites or apps that access financial accounts or other sensitive data – you need strong passwords that you don’t use anywhere else. Fix that now!


Design a password that is hard to crack but easy to remember - 4 steps

1 Don't use common passwords that attackers have already discovered or are common: If any of your passwords are in top 20 common passwords of 2019 list Change them Now!!

  • 123456789
  • qwerty
  • password
  • 1111111
  • 12345678
  • abc123
  • 1234567
  • password1
  • 1234567890
  • 123123
  • 000000
  • Iloveyou
  • 1234
  • 1q2w3e4r5t
  • Quertyuiop
  • 123
  • Monkey
  • Dragon

Here's a fun list of the top 100 worst passwords from 2018

Why? Hackers search for these common passwords first, and that nets them a lot of fish.

2 Avoid words that can be found in a dictionary in your language.

Example: Labrador, underwear

Why? It's not hard or time-consuming to compare your password to an entire list of dictionary entries.

3Mix uppercase, lowercase, numbers, symbols. Doing this increases the "search space depth."

Example: in an eight-character password here's how long it takes to figure out a password with an offline, fast attack (100billion guesses per second): lowercase only: abcdefgh = 2.17 seconds,
add uppercase: Abcdefgh = 9.08 minutes,
add a symbol: Abcedfg! = 7.66 hours,
add a number: Abcdef8! = 18.62 hours.

Why? When you increase the "search space depth," you increase the amount of time/effort required to hack. The search depth of Abcdef8! is 26 + 26 + 10 + 33 = 95. The search space length = 8. The count of all possible passwords with this alphabet size and up to this password's length = 6,704,780,954,517,120.

4 Length is as or more critical than entropy - a bazaar mix of letters and symbols that you'll never remember.

Example: D0g--------------------- would take 95 times longer to crack than PrXyc.N(n4k77#L!eVdAfp9

Why? The first password is simply one character longer than the second. The attacker succeeds only with an exact match. Both examples are using the mixed uppercase, lowercase, number, special symbol, but the first is one character longer, which increases the amount of time:
D0g--------------------- = 9.38 hundred billion trillion centuries
PrXyc.N(n4k77#L!eVdAfp9 = 9.88 billion trillion centuries

So, both passwords above are great, but you will remember the first: Dog with zero for the "o" followed by 21 dashes.

TAKE AWAY:

Use a full character depth (upper, lower, number, symbol) to create a word or sentence you'll remember - then make it long - pad it with symbols or some pattern unique to you.
Example: +++++My+++++5+++++Cats+++++


Use a Decent Password Management Application

The best method is to create passwords (as above), use them only once and remember them. If you’re unlikely to do this, a password management tool is next best.

For this option to be useful, you want the ability to sync across all of your devices. You still need to create, or let the tool generate complex long passwords unique to each account. The advantage here is you only have to remember the password to the Password Manager. So make that a good one.

At our company we often use 1Password or KeePass, but the following reviews at the end may help you vet out a password manager that makes sense for your situation.

CONCLUSION

  • Passwords are a necessary evil.
  • Your favorite passwords may already be in a hacker’s database.
  • Use a strategy that works best for you. Create long, unique passwords that you remember, or deploy a secure password management application to manage your complex passwords.
  • At a minimum, prioritize passwords that are gateways to important information about you and only use them once.
  • Check regularly for password best practices using the resources in this blog.
  • If you are responsible for designing and implementing password policy for enterprise; in addition to the advice above, reach out to experts. A good password plan still needs the support of an infrastructure designed for security.

INTERESTING READING

Password related:

How Big is Your Haystack Lets you experiment with different passwords and estimate the time it takes to guess them.

From Troy Hunt: Here's Why [Insert Thing Here\ Is Not a Password Killer.] Why passwords are probably here to stay.

A deep-dive discussion of Password Managers from Bruce Schneier on Security.

2019 Reviews of Passord Managers:

From cnet.com: The Best Password Managers of 2019

From Digital Trends: Best Password Managers

And beyond:

Musings on Quantum computing: Scott's SuprememQuantum Supremacy FAQ!

Contact Us

Contact Us!

+1 973-630-1050

Or, we would be happy to contact you:

 

info2019@cipherspace.com