Closeup of Password Box in Internet Browser

What’s the password?

Your IT security depends on your passwords being secure. That’s why cyber criminals spend a lot of time and energy trying to work out what they are. If they crack the right password, they can have a lot of quite lucrative fun at your expense. And your internet security program or disk encryption system probably won’t help you.

If you want to understand what constitutes a strong password, it might help to understand how these criminals work.

Tap, tap, tap…

For a start, they don’t just sit down at their computer and type in guesses; that would take way too long. Effective password cracking requires relatively cheap but massively powerful computer systems. These are capable of assessing billions of passwords per second. Think about that next time you see a hacker breaking into a computer system by guessing at passwords on a TV drama… Billions… Per second.

A lot of hacking effort is spent trying to decode large lists of passwords stolen by hackers from major internet companies and service providers. Long after these hacks have faded from the news, criminals carry on digesting them and making use of what they learn.

There are two main modes of attack: brute force, and dictionary. You need to understand both of them to be secure.

Brute force

A brute force attack, in essence, is where someone tries every possible combination of characters until they hit the right one. If you are mathematically-minded you’ll see that the size of the character set makes a big difference to the number of possible combinations. For example a six-letter password using all lower case letters allows 308 million different combinations and would therefore take less than a second to crack. If we increase the character set to include numbers, upper case letters and (say) 20 special characters, we would have 304 billion combinations which would take a bit longer. In practical terms, a password with fewer than 8 characters is vulnerable to brute force attack.

Dictionary attack

A dictionary attack means, figuratively, throwing the Oxford English Dictionary at the problem. Well it’s a bit more sophisticated than that; the OED is just the starting point. First, you add any other words and acronyms which are known to make popular passwords, then you apply all known substitutions like ‘3’ for ‘e’. You’d also want to add children’s names, pet names, every known postcode, vehicle registration number… This sounds like a long list, but it’s a great deal more efficient than a brute force attack. Although you have a long list of words to test, you’ve still effectively eliminated most possible combinations. Consequently, a dictionary attack can crack longer passwords more efficiently than brute force. Is this making you nervous? Maybe it should!

So what makes a good password?

In general, any password should:

  • Have at least 8 characters;
  • Contain a mixture of upper and lower case characters, with at least one number and at least one special character;
  • Be unique, i.e. not used before and not used elsewhere;
  • Not be a dictionary word, or a dictionary word with obvious substitutions like ‘T34ch3r’ or ‘P455w0rd’;
  • Not be a proper name or code which could easily be linked with you, e.g. your postcode, vehicle registration number, VAT number or the names of your pets or children.

I’m not saying you won’t get hacked if you follow these rules, but it’ll certainly make it a bit less likely. Stay safe out there!