What is a Strong Password?

Share This
Paul Weinstein
Share

Passwords are a pain. They are required for too many things; your phone, your computer, your apps, your accounts. They get in the way of getting something done.

It would be wonderful if this post was an introduction to something better. Alas, for the time being, we’re stuck with passwords. So, how can we best use them? How can we secure ourselves and others? What, exactly is a “strong” password?

That’s Weak

Let’s start by considering the opposite, what makes a password weak?

  • The password is the same as, or contains part of the user/account name.

  • The password can be easily referenced, such as a common word found in a dictionary or a reference to a local team.

  • The password contains numbers or letters in sequential order, 1234 or qwerty.

  • The password contains simple substitutions, 0 (zero) for O or @ for a.

  • The password contains personally identifiable information; favorite number, color, or pet’s name.

These examples are considered weak because they are based on simple patterns that are easy to guess and trivial for an automated process to test at high speeds. More to the point, common words and patterns expose the two main problems with many passwords; different people with the same cultural influences and one person reusing a password multiple times.

Playing the Bad Guy

Let’s put on the black hat for a moment and consider the problem. We want to gain access to someone’s account. Let’s consider the account in question and begin to create a list of possible passwords.

Starting at the top of our list we have:

  • admin

  • administrator

  • password

  • pass

  • 1234

  • 1111

Next we add some less specific, but common, everyday words:

  • love

  • mom

  • money

  • damn

Finally we add some specific, but still common names for pets, teams, and cities:

  • Fido

  • Whiskers

  • Giants

  • Bears

  • Aurora

  • Lincoln

Now, we need some computer logic to do something with this list. Part of the program might look like this:

For each word…

  • try the word, as is
  • try the word, but change the capitalization
  • try the word, combined with another word in the list
  • try the word, substituting letters with numbers and symbols

With this dictionary of words to try and a process to try them with we can now make an automated attempt at accessing the account.

But wait, you might be thinking, how large of a list does this really have to be? One study by security consultant Mark Burnett determined that in a pool of over 6,000,000 unique accounts, a list with 1,000 of the most frequent passwords will match 91% of the accounts. Increase the list to 10,000 and now we have access to 99.8% accounts.

passwordsfreq

And once we’ve gained access to an account the chances that the user has used the same password elsewhere will increase. A 2014 research study estimated that, “43- 51% of users reuse the same password across multiple sites.” Moreover, knowing a user’s password also increases the chance of guessing a variation of the known password in use elsewhere.

So What is a Strong Password?

Guidelines for what constitutes a strong password will vary, based on a number of conditions, such as:

  • The sensitivity of the information being protected. Is this your financial information or your collection of food photos?

  • Does the application limit the number or type of characters that can be used in a password?

  • Does the system incorporate two-step authentication? That is, does the system authenticate you in two stages?

With these conditions in mind, the main goal is to lower the ability of an aided attacker from guessing what the password is, therefore;

  • Use more characters, not less. Use a minimum password length of 8 to 14 characters when possible.

  • Mix in lowercase and uppercase letters, numbers, and symbols as permitted, but not as a substitution.

  • Do not use the same or similar password for important accounts, such as banking or financial websites.

  • Avoid using information that is or might become publicly available or identifiable.

  • Remove patterns, sequences, and common words as much as possible. Embrace the random.

And to keep track of your newly created, randomly long passwords? Use a secure password manager which will store all your passwords encrypted with a master password key.

But take note, while some password managers store passwords locally on your device, others store the data on a server elsewhere on the Internet. Which storage method is right for you will depend on your aversion to risk.

Got a good password manager or password tip? Share it in the comments below.

Share This

What are your thoughts?

By signing up you are agreeing to our Privacy Policy.

Comments (4)
  • Great article 🙂 . I am using Sticky password manager (http://www.stickypassword.com/) which is web based but I don’t have to worry about security because without my master password it’s impossible for somebody to get my passwords in plaintext. I also tried local password manager in past (KeePass) but I need synchronization between multiple devices so it’s much more convenient now.

    • Glad you enjoyed the article.

      I personally have been using SplashID (https://splashid.com) for a long time (since PalmOS). It too has support for a number of different platforms and provides options for syncing between devices over a local network or via “the Cloud”.

  • now a days it is mandatory to build strong password for security purpose.

  • In todays digital era security must over network and we can maintain it with password so we need to create as strong as password beautiful explanation!thanks!.

 
Join over 16,000 people who receive bi-weekly web marketing tips.

By signing up you are agreeing to our Privacy Policy.

Share This