Passwords are a very common thing today to secure access to the various services and websites that we use in our lives. They are the secret code that tells a server that yes, you are an authorized user or no, you are not authorized. It is important to realize that the strength of a password, is highly dependent on many different factors. To understand those factors, let’s take a look at what a password could contain.
- Characters in a password:
- Lower case alphabet
- Upper case alphabet
- Password length should be a minimum of 9 characters.
Each of the characters that can be used, are in turn interpreted by the computer as what is called an ASCII code. Upper case letters have its own set of ASCII codes, as does lower case letters. Numbers and symbols each have their own ASCII codes as well. All of these ASCII codes are unique, so in the case of letters, "a" and "A" are very different as they each have a unique code. This is why it is important to know or remember the capitalization that you used for your password. Passwords are case sensitive.
Password length is important to increase the complexity of the password. You would not want to make a password that was easy to guess on say your bank account, or anything else that was important to you. During a brute force attack, simple passwords with 1 to 5 characters can usually be broken within minutes. Longer passwords will require significantly more time to break, and the attack will be logged and give the administrators time to take appropriate actions. The best way to understand this is to understand how many attempts it would take to break a password.
- Lower case letters: 26
- Upper case letters: 26
- Numbers: 10
- Symbols: 33
For a 1-character password, there are only 95 possible choices, and that is looking at all the possibilities of letters, numbers, and symbols. This can be written as 95ˆ1. A two-character password would likewise by written as 95ˆ2 with a total possible combination of 9025. Jumping forward to the minimum recommended 9 characters, that could be written as 95ˆ9 with a total possible combinations of 630,249,409,724,609,375. Now, let’s do a comparison. If we eliminate the numbers and symbols, and basically just use the alphabet we would get the following:
- 1 character: 52 possible combinations
- 2 characters: 2704 possible combinations
- 9 characters: 2,779,905,883,635,712 possible combinations
As you can see, without making full use of upper and lower case with numbers and symbols, the password gets significantly easier to break. When creating your password, please make sure to include at least one character of each of these groups.
It is also important to note that using substitutions is also a very bad idea. What I mean by this is if you take a sample password of "island" and swap it out to "!51And" it is still not a good password, even though it contains one character from each group. This is because long ago; hackers were using this to disguise their communication. It is commonly referred to as Leetspeak and can easily be interpreted by dictionary attacks as it is just a simple substitution. Make sure that each character of your password is not just a simple substitution, and it is what you want.
Two-factor authentication adds in another layer of complexity. This is generally a code that changes every minute and is provided by a different service provider. With two-factor authentication, even if your password is guessed, the attacker will not be able to access anything without that constantly changing code. While it can be a bit inconvenient, it can make things a lot more secure for you. Not all websites or services will support this, and you must ensure that they support the two-factor authentication service provider as there are many out there on the internet. Each service provider will give you different codes to use.