New technologies and more powerful computer systems have made it important in the last years to create secure passwords to avoid successful automatic password cracking attempts via brute force and dictionary attacks.
But how do passwords have to look like to be considered secure? And who determines that? There is no authority with guidelines on the creation of secure passwords. Companies, organizations, software developers and end users all have their own definition of secure passwords.
While some may think it is sufficient to select a password with numbers in it, others demand a password with upper and lower case chars, numbers, special characters and a minimum length of 16 or more.
Defining the format of a secure password is however only one side of the medal. It does not do anything good if the software, website or service is not compatible with those settings. A website that restricts the password to a length of 10 characters without special characters would be incompatible with a secure passwords policy that requires at least 14 chars and one special character.
Generally speaking, a password becomes more secure with the length of characters it contains, and the different types of characters used.
Several companies have created online tools that give users feedback on the complexity of passwords entered. Is that password secure is a common search term for those services. Lets take a closer look at some of them, but before that, lets define some typical passwords that we will feed them.
password 1: password
password 2: 4wOe409r
password 3: !S8I5U39YDnt8f
password 4: E&4!74mneGrTmOJ!HIr0
password 5: DP12c*0J!dM5mfdq2r!&WmMi!#g3
Microsoft password checker: Offers a simple form field which accepts a password. The ratings go from weak to best.
check your password
password 1: weak
password 2: weak
password 3: strong
password 4: strong
password 5: best
How Secure Is My Password: Does not display a rating, but tries to estimate the time it would take to crack the password.
password 1: One of the 500 most common passwords, It would be cracked almost instantly
password 2: It would take About 252 days for a desktop PC to crack your password
password 3: It would take About 564 billion years for a desktop PC to crack your password
password 4: It would take About 100 sextillion years for a desktop PC to crack your password
password 5: It would take About 100,603,110 nonillion years for a desktop PC to crack your password
The Password Meter: Compiles a list of all characters used and rates the passwords accordingly.
password strength
password 1: Very Weak, score 7%
password 2: Very Strong, score 81%
password 3: Very Strong, score 100%
password 4: Very Strong, score 100%
password 5: Very Strong, score 100%
The three password security checkers seem to disagree on the strength of some of the passwords used. All see the first password as a weak password, but similarities end there, as the second password is considered weak by Microsoft, but very strong by Password Meter.
The question now is how you can come up with a password policy to make sure that you only use secure passwords. The answer is simple: Always use a password that comes close to the maximum length allowed. That value is highly software and site specific. Here are a few suggestions:
- Never use a password with less than 16 chars unless the site limits the maximum character length to less than that
- Always use upper and lower case characters
- Always use at least one number in the password
- Always use at least one special character in the password
- Never use dictionary words as part of the password or the password
This leads to a problem: Remembering the passwords. The easiest way is to use a password manager like Last Pass for this. Password managers can create passwords based on the user’s parameters. Last Pass users for instance only need to press Alt-G to open the password creation window in the web browser.
password creation
The password can then be copied and entered during account creation. These passwords can also be used for non-web services, and stored in the password manager for retrieval.
Password managers will automatically save passwords and accounts that have been created, so that there is no need to remember the password. Only the master password, which is the password providing access to the password manager’s database needs to be remembered and should be uber-secure as it protects all accounts.
A simpler solution is to write down the passwords locally, and either carry them with you all the time, or store them in a secure location so that third parties cannot use them to access the accounts.
Do you have a password policy? Let us know in the comments.