Password Strength

The "strength" of any particular password is based on how easily that it can be guessed or discovered via some brute force attack on the site usung it.There are a number of factors involved in determining the strength of a password such as the length of the password and what characters it might contain.

The weakest passwords are those which are easiest to guess. So many people use "password", "123456", "qwerty" and similar as their password that they may as well not be using a password at all since such a password can easily be determined bytrial and error with just a few guesses.

The next weakest passwords are those which consist of a word. Such passwords may not be easily found by manually attacking a site but they can be easily found by an automated attack on the site that simply works its way through the dictionary trying each word in turn. Admittedly some sites will automatically lock the account after so many incorrect passwords in a given time frame or use some other means to protect against brute force attacks but that means that you are relying on those other protections to prevent someone from breaking your password.

The reason why so many people use easy to guess "weak" passwords like this is that they are also easy to remember.A password isn't of much use if the owner can't remember what it is. This is further complicated by another issue and that is that your passwords are made weaker if you use the same password on multiple sites. Where you use the same password in different places and an attacker breaks your password for a relatively unimportant site such as a forum where security on the site may be lower because the harm that can be done is less and is then able to simply enter that same password to get into other higher security sites (such as your bank) then the additional security that those more important sites have provided to protect your password has effectively been bypassed by your choice of password.

Most passwords are case sensititve so changing the capitalisation within your password so that the password contains both lowercase and uppercase characters will increase its strength slightly with your just needing to remember which letters to enter in uppercase.

Using a random collection of letters is a stronger password than one where the letters make a word. At least then the password cannot be broken by an attack that simply checks for words. Of course such a password is also harder to remember. A way to make a password consisting of apparently random letters that will be easier to remember is to come up with a phrase as the basis for your password and then use a given letter out of each of the words in the phrase. For example provided that all of the words in your phrase have at least three letters you might simply take the third letter of each word of the phrase and string them together as your password.

Adding numbers to your password - either at the end of the password or in place of selected letters increases the strength of your password even more. For example you might replace all the letter 'f' with '6' in your password.

Finally, you can make your password even stronger by adding in other characters as well as letters and numbers.

The other aspect to password strength is the length of the password. For the most part a longer password will be stronger and harder to break than a shorter one but this isn't always the case. Some passwords are stored as a series of chunks of a specific length and where that applies a password is strongest when it is a multiple of the chunk length. For example some versions of Windows store passwords in seven character chunks and therefore a password of seven characters will be slightly stronger than one which is eight characters since with an eight character password the second chunk only contains one character which makes that chunk easier to crack and if the character in that position gives a clue to what might be in the other seven characters the entire password is compromised.

Of course while having lots of separate strong passwords to use individually on each of the different sites where you need a password means that you will have a large number of hard to remeber passwords. You might be tempted to compromise this a little by sharing some passwords between multiple sites. Where you do decide to do this the most important thing to keep in mind is to consider what might happen if that password is cracked. Each site where you need maximum protection should have its own password not used anywhere else. Only with sites where the damage will be relatively minor should ever be considered for shared passwords.

An alternative to sharing the entire password between sites is to share part of the password and make another part of the password unique to the specific sites, that way you have a longer password where at least a part of it is easier to remember. The thing to watch out for in that situation is that you don't make the variable part of the password too specific to the individual sites since if you do and someone cracks two or three of your passwords, working out the rest would then be easy for them.

Contrary to what some people might suggest, a good alternative to help you remember your passwords is to write them down. If you keep them on a piece of paper next to your computer then only by gaining physical access to the room containing your computer will the passwords be compromised. If you don't have a password on your login then someone with that access could turn on the computer and use the lost password option on various sites to retrieve those passwords anyway so having them written down on a piece of paper will not make any significant difference to security just as long as you don't lose the piece of paper.

Another option worth considering is to use one of the password safe programs. The record all of your passwords in an encrypted file where you need to enter the master password into the program in order to be able to access the passwords. Such a program makes it easy to copy and paste passwords without your needing to remember them. If the program has an option to hide the passwords then you can even copy and paste passwords while someone is watching you and sees exactly what you type and that person will be unable to tell what password you just used. The main benefit of using a password safe is that you can use very strong passwords without having to remember them or to even type them in. You can even use the password safe itself to generate a random strong password to use for a new site where that password will itself be as hard as possible to crack and where even if that password is cracked will provide no information whatsoever regarding other passwords. The weak point in using a password safe is the master password but since that password need never leave your own computer it will be harder for someone elsewhere to crack as they'll need access to your computer directly to even make the attempt.

One alternative to a brute force attack to try to crack your password is to find a way to get you to tell them your password. This can be done either by someone contacting you and asking for your password iwhile presenting you with information that convinces you that they actually need it (such as their being support staff for the site concerned) - that then relies on your NOT telling them what it is which should always be your response as support staff should never need your password. They might try to trick you by sending you what appears to be a legitimate email from the site which has a link to what looks like the login screen for the site but which is actually a fake page that will capture your password before transferring you to the real site. That's why you should never click on the link in an email to get to a login page but should instead type the address for yourself in the browser.

The final way that someone can get you to tell them all your passwords is if they can manage to install a keylogger onto your computer. If they can do that then everything you type on your computer will be recorded on their site. If they do succeed in doing that then using a password safe will be the more secure option since even if they get the master password to your password safe they still then have to break into your computer again to gain access to the safe and the passwords it contains. As you are just copying and pasting passwords from the safe there would be no entries recorded by their keylogger that tell them what any of your other passwords are. Of course ideally you want to prevebnt them installing a keylogger in the first place but that depends on the security software that you are using to protect your computer and is not affected by the strength of the passwords you use.

go to top

FaceBook Follow
Twitter Follow