Character Set:


characters
bits

What is a Strong Password?

The general rule of thumb is to use a mix of numbers, letters and symbols, in addition to never using something that others can associate with you. A strong password consists of:

  • at least 8 characters, suggested length - 14
  • both uppercase and lowercase letters
  • non-alphanumeric symbols (i.e. !, #, $)

Weak vs Strong Password

In recent years major security breaches and password leaks have grown in frequency. It has been proven that in this day and age, your cyber security is not guaranteed, whether it concerns a major corporation or an individual. However, all of us can take steps to minimize the risks and make the attackers’ job more difficult.

Back in 2013, there was a significant brute-force attack on WordPress blogs, hackers used variations of the word “admin” as a login and popularly used passwords to gain unauthorized access. Surprisingly, they were quite successful. Since then WordPress has taken measures to prevent this from happening in the future. Nevertheless, WordPress remains one of the most security-vulnerable CMS. To ensure your website is not as susceptible to attacks it is crucial to have strong passwords.

Reusing the same combination of letters, simply prolonging a password with a digit, usage of dictionary words or birthday dates and limited number of characters - all of these are the criteria for a weak password.

SplashData, an information security company, analyzes millions of leaked passwords.

In 2016, the list of the top 25 most used passwords looked like this:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234
  11. login
  12. welcome
  13. solo
  14. abc123
  15. admin
  16. 121212
  17. flower
  18. passw0rd
  19. dragon
  20. sunshine
  21. master
  22. hottie
  23. loveme
  24. zaq1zaq1
  25. password1

As you can see, most people aren’t particularly creative with their passwords.

Minimum Requirements

We’ve mentioned what makes a password weak, but what constitutes a strong password? Typically, it is recommended that your password:

  • Is at least 8 characters long, suggested length – 14
  • Contains both uppercase and lowercase letters
  • Uses non-alphanumeric symbols (i.e. !, #, $)
  • Doesn’t contain dictionary words (as in any words listed in a dictionary)
  • Is not based on any personal information (such as names, birthday dates, etc)
  • Changes often (every couple of months preferably)
  • Has not been used elsewhere

Entropy and Possible Password Combinations

Most people choose a simple alphanumeric password, meaning a password that combines both letters and numbers. Alphanumeric passwords are able to provide decent security, though only as long as they are complicated enough. However, since strong alphanumeric passwords are hard to remember, people opt for using a dictionary word and the first few numbers on a keyboard. Needless to say, such passwords are easy to guess.

The best passwords have to have a certain degree of randomness to them. The unpredictability of your password is measured by entropy. It is stated in bits that are calculated using a base-2 logarithm. For example, a password that we know has zero entropy bits; a password that has 1 bit has a 50% chance of someone guessing it. So taking a 32-bit password, it would be guessed in 2^32 attempts, but is typically guessed in half that, 2^31 attempts.

Since there are only so many variations a human brain can come up with, oftentimes random password generators are used to do the work for us. They are typically a piece of software or an online tool that automatically generates passwords with user-set parameters. In our strong password generator you can specify how long you want your password to be or how many entropy bits it should contain, as well as characters you want used (lowercase, uppercase, numbers, ASCII symbols).

Let us generate two random passwords and see how they compare in strength. For the first example, we’ll use 6-character password without any ASCII symbols “RnD#.O”. It has 39.33 entropy bits and 689,869,781,056 possible combinations.

Now the amount of time it would take to crack a password largely depends on the type of an attack (is it an online or offline attack; dictionary, brute-force or hybrid), hardware used (how many guesses per second can a computer perform) and the hashing algorithm used to encrypt the password.

Assuming that the search stops when the password is discovered, we’ll have to try, on average, half of those combinations. So let’s say our scenario is an online brute-force attack and the computer can run 50000 guesses per second. It would take about 2 and a half months for an attacker to crack the password.

A 14 character password that we’ll use is “=p?CAip#rrNhky”. It has 91.8 bits and as many as 1,039,931,179,776,805,984,133,765,810 possible combinations. Under the same scenario as above, it would take trillions of centuries to discover this password. Your personal information isn't worth that effort to hackers.

Both passwords were completely random, the only difference between them is the length. Some argue that entropy is not relevant at all when it comes to strong passwords; however, it cannot be denied that any strong password cannot be easily predictable.

Obviously, unless you have an incredible memory, remembering dozens of lengthy passwords for all your accounts is impossible. To aid you in that, there exists various software, that securely encrypts and stores all your passwords, called password managers.

Generating a strong password takes less than a second, but getting your website back and restoring it takes a lot more time and effort.