Why are the passwords important?
We use passwords every day to access our e-mail accounts, bank accounts, Facebook and Twitter accounts and hundreds of other services. There is great temptation to use one password for all accounts and to make it short and easy to remember. However, this has devastating effect on our security and privacy. If you think that you have nothing to hide, think again. In most cases the passwords are cracked not from mere curiosity but with malicious purposes – to use your computer as spam bot, to steal some of your money, to infect your computer with computer viruses and spyware and so on.
What makes a password weak and easy to crack? In most cases the attacker does not try to guess your password manually. Instead, he uses an automated computer program that tries many passwords in very fast succession in order to find a match. Here are some examples of weak passwords:
- Generic passwords and default passwords. Examples: admin, administrator, user, guest, pass, password, etc. These are the first passwords that are tried by the password cracking software.
- Meaningful words or names. Examples: sandbox, NY, lion, john, mary, USA, etc. Easily cracked by the dictionary-assisted cracking tools.
- Words or names with added numbers. Examples: john123, pass123, 123456, number1, etc. Easily cracked by the automated cracking tools.
- Personal names, birthdates or similar information. These are used a lot as passwords and are very easily cracked. For example, if the password is a birthday, there are only hundreds or few thousands (if the year is included) possible combinations, which is very weak for a password.
As you can see, all easy passwords are not safe. But how to choose safe passwords? The most important thing is to avoid using the same password for different computers or services. If you follow this rule, even if one of your passwords is cracked or otherwise compromised, the other passwords will be safe.
Password strength: what makes a password strong?
Basically, the password strength depends on the number of possible combinations, which must be tried in order to guess (or crack) the password. For example, the standard 4-digit PIN codes are weak passwords, because there are only 10000 possible combinations. This is not a big problem for ATM machines because the PIN code is useless without the card and most ATM machines block when the password does not match more than 2-3 times. However, in many other cases it is possible to use automated password cracking tools, which can try thousands or even millions passwords per second, so any weak password will be cracked in a matter of seconds or minutes.
The number of possible combinations depends of the symbols, which are used in the password and the password length. See the table bellow for some estimates of the time for cracking of the passwords with different complexity on 4 typical computers. The first computer is a contemporary mid-level PC, which can test 1 million passwords per second. The second is a future computer 10 years from now, which will be able to test 65 million passwords per second. The third computer is contemporary mid-level supercomputer, which can test 1 billion passwords per second and the last is a future supercomputer 10 years from now, which will be able to test 65 billion passwords per second. Please note that these are approximate estimates and the actual password testing speed may be significantly faster or slower for different types of encryption algorithms.
How to generate strong random passwords?
As we saw in previous chapters, the difference between the level of security provided by weak and strong passwords is huge. The question remains: how to create random strong passwords? Lets look at the alternatives.
- Choosing “randomly” letters and numbers. It appears random but only at first sight. Numerous research studies have proven that humans are not very good at random picks – they always try to spread the things too evenly, which is not random behavior.
- “Random” typing on the keyboard with closed eyes. This is slightly better than random choosing but still nowhere random enough.
- Online random password generators. Much better than the previous two alternatives but have 2 major drawbacks. The first is the possibility that the generated password may be saved on the website with malicious purposes or someone may eavesdrop on your connection and intercept the generated passwords. The second major problem is the quality of the random number generators, which very often is not up to the task. Many of them are naively implemented and provide a lot fewer combinations than theoretically possible (no more that tens or hundreds of millions, which is not strong password by any means – see the table in the previous chapter).
- Specialized random password generator programs. The best option as long as they are implemented properly and come from trusted source.
Mil Shield for example, is a program that offers a random password generator with high quality random generation and no password logging or sending. You can use it to create any type of passwords: from simple PIN codes to very strong and long passwords that are impossible to crack with even the fastest supercomputers.