Character Set:


characters
bits

Password


Weak vs Strong Password

In recent years major security breaches and password leaks have grown in frequency. It has been proven that in this day and age, your cyber security is not guaranteed, whether it concerns a major corporation or an individual. However, all of us can take steps to minimize the risks and make the attackers’ job more difficult.

Back in 2013, there was a significant brute-force attack on WordPress blogs, hackers used variations of the word “admin” as a login and popularly used passwords to gain unauthorized access. Surprisingly, they were quite successful. Since then WordPress has taken measures to prevent this from happening in the future. Nevertheless, WordPress remains one of the most security-vulnerable CMS. To ensure your website is not as susceptible to attacks it is crucial to have strong passwords.

Reusing the same combination of letters, simply prolonging a password with a digit, usage of dictionary words or birthday dates and limited number of characters - all of these are the criteria for a weak password.

SplashData, an information security company, analyzes millions of leaked passwords.

In 2019, the list of the top 10 most used passwords looked like this:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 1234567
  6. 12345678
  7. 12345
  8. iloveyou
  9. 111111
  10. 123123

As you can see, most people aren’t particularly creative with their passwords.

Minimum Requirements

We’ve mentioned what makes a password weak, but what constitutes a strong password? Typically, it is recommended that your password:

  • Is at least 14 characters long, suggested length – 18
  • Contains both uppercase and lowercase letters
  • Uses non-alphanumeric symbols (i.e. !, #, $)
  • Doesn’t contain dictionary words (as in any words listed in a dictionary)
  • Is not based on any personal information (such as names, birthday dates, etc)
  • Changes often (every couple of months preferably)
  • Has not been used elsewhere

Entropy and Possible Password Combinations

Most people choose a simple alphanumeric password, meaning a password that combines both letters and numbers. Alphanumeric passwords are able to provide decent security, though only as long as they are complicated enough. However, since strong alphanumeric passwords are hard to remember, people opt for using a dictionary word and the first few numbers on a keyboard. Needless to say, such passwords are easy to guess.

The best passwords have to have a certain degree of randomness to them. The unpredictability of your password is measured by entropy. It is stated in bits that are calculated using a base-2 logarithm. For example, a password that we know has zero entropy bits; a password that has 1 bit has a 50% chance of someone guessing it. So taking a 32-bit password, it would be guessed in 2^32 attempts, but is typically guessed in half that, 2^31 attempts.

Since there are only so many variations a human brain can come up with, oftentimes random password generators are used to do the work for us. They are typically a piece of software or an online tool that automatically generates passwords with user-set parameters. In our strong password generator you can specify how long you want your password to be or how many entropy bits it should contain, as well as characters you want used (lowercase, uppercase, numbers, ASCII symbols).

Random Password Scenario

Let us generate two random passwords and see how they compare in strength. For the first example, we’ll use 6-character password without any ASCII symbols “QgV3r0”. It has 35.73 entropy bits and 56,800,235,584 possible combinations.

Now the amount of time it would take to crack a password largely depends on the type of an attack (is it an online or offline attack; dictionary, brute-force or hybrid), hardware used (how many guesses per second can a computer perform) and the hashing algorithm used to encrypt the password.

Assuming that the search stops when the password is discovered, we’ll have to try, on average, half of those combinations. So let’s say our scenario is an online brute-force attack and the computer can run 50000 guesses per second. It would take about 1 week for an attacker to crack the password.

A 14 character password that we’ll use is “=p?CAip#rrNhky”. It has 91.8 bits and as many as 1,039,931,179,776,805,984,133,765,810 possible combinations. Under the same scenario as above, it would take trillions of centuries to discover this password. Your personal information isn't worth that effort to hackers.

Both passwords were completely random, the only difference between them is the length. Some argue that entropy is not relevant at all when it comes to strong passwords; however, it cannot be denied that any strong password cannot be easily predictable.

Obviously, unless you have an incredible memory, remembering dozens of lengthy passwords for all your accounts is impossible. To aid you in that, there exists various software, that securely encrypts and stores all your passwords, called password managers.

Generating a strong password takes less than a second, but getting your website back and restoring it takes a lot more time and effort.