It’s becoming more and more common that when you sign up for any account online you see a password strength meter. They come in various shapes and sizes and are coded with varying restrictions that measure how easy your password would be to crack. Password strength meters work by measuring entropy, which shows the amount of time it would take for a hacker to get your password by using a brute force method. Also known as an “exhaustive key search” this process is basically a systematic attempt to guess all possible passwords until they find the correct one.
Exhaustive key search method for cracking passwords
Imagine you pop to the shops and lock your pushbike to the rails outside it using a padlock secured with a 4-digit code. If someone wants to steal your bike there is a finite number of possible ‘passwords’ that they can cycle through (pun intended) until they find the right one. The brute force method of stealing your bike would be to get a chainsaw and cut through the railing, but the brute force method of hacking your password would be to start by trying ‘0000’, then ‘0001’, then ‘0002’ and continue all the way up to ‘9999’. At some point the would-be thief/hacker would find the right password and they’d ride home on your bicycle.
Except, if your password is way up in the 8000s then it’s going to take the thief an age to try that many combinations, and you’ll probably have finished your weekly shop by the time he’s even halfway through the possibilities.
In a theoretical universe where there are 100 thieves trying to get your bike, and they can all try a password combination simultaneously, then they’ll be away with your bike before you even pick up the shopping basket. One bike between 100 of them will be uncomfortable, mind you.
This multi-pronged attack is more relevant to computer based passwords, where it’s realistic that the computer can attempt a tonne of possible passwords in a very short amount of time. Password strength checkers like zxcvbn can show just how quickly a computer can guess your password. For the example password ‘fountain’ (admittedly not a very good one) a computer guessing 100 iterations per hour could crack the password in half a day. If it was guessing 10,000 passwords a second then it would be cracked in under a second.
This is why text only passwords are usually highly disregarded, and a lot of websites won’t even let you create an account with a text only password. Instead, you’re encouraged to increase the strength of your password with disguising factors like capitals, numbers, and symbols. On the ‘howsecureismypassword’ password checker the word ‘fountain’ was cracked instantly, but “Fountain123!” was cracked in 34 thousand years.
This measure of entropy is one way to see how quickly a computer could crack a password, but if we go back to the bike thief analogy, that thief knows that it’s far more likely that you’ve set your padlocks password to something memorable like ‘7777’ or ‘2468’, so he’s probably going to try a sequential, or palindromic pattern before he tries the brute force method of 0001, 0002, 0003. So don’t make your password 7777 or 1234 or 2468, and don’t make it 0001 either. If the thief really, really wants your bike then he might have done his research and found out when your birthday was – so don’t make the password your birthday either.
This mentality translates to computer passwords, too. Everyone knows that the most common password is ‘password’, yet people still use it. So a hacker will go straight to ‘password’ before he tries ‘aaaaaaaa’. On the internet you can find a list of the 10,000 most common passwords, and if hackers are trying to access your account they’ll cycle through these before they do anything else. A recent study showed that 30% of all passwords fall on the list of the 10,000 most common. Knowing the restrictions that websites have in place, hackers will also try variations of these common p@s5w0RD!S!S! that fall within the restrictions.
Combining all of this, we see that ‘Fountain123!’ isn’t actually as strong as that password checker suggested. The numbers are sequential, and the format of having the capital letter at the front and an exclamation mark at the end is a very standard way that people try to disguise passwords. It may have passed the brute force test, but a hacker with external knowledge would find it a lot easier to crack.
The strongest and safest passwords
So, after all that am I telling you that your password should be… *ahem*… ADF%$gwsdfgsdge5te45yFgxdfgsDFSDGdg54gsfgsdfgs2343£$?%”£$%”£?
No. Because you won’t remember that well enough to re-type it in the ‘repeat password’ validation, let alone be able to repeat it every time you visit the site. Instead, it’s suggested that passwords should actually be memorable ‘passphrases’ with all of the number, symbol, and case boxes ticked.
An example here would be that “Fountains123!” wasn’t actually a very strong password, but “FountainBikes!157” would take 93 trillion years to crack, and with passwords, longer is generally better. So by the https://howsecureismypassword.net/ password checker “PadlockThiefFountainBikes!157” is even better, and would take 4 undecillion years to crack.
For the record, depending on where you’re from, an undecillion is a 1 followed by either 36 or 66 zeroes. And there’s four of them. That’s a long time.
Sure, if a hacker has four undecillion computers to hack you with, then it’d only take them a year to get in. But in that case they must really, really want to read your emails – and just imagine the electricity bill.
PadlockThiefFountainBikes!157 passes the brute force test for password strength, as well as the human test. As a string of words it’s easy to remember but hard to crack because there’s no logical connection between them. The punctuation isn’t predictable and the number isn’t sequential or meaningful. It would take a hacker so long to get in that he’d just move on to the next guy long before he got anywhere near your information.
Follow this advice to choose the best passwords and stay safe online.
(Disclaimer: PadlockThiefFountainBikes!157 is not my personal password, I promise.)